How to ?

Published on June 15th, 2017 | by Technable

0

Why the OWASP Top 10 is a Reason to be Embarrassed


Why the OWASP Top 10 is a Reason to be Embarrassed

A charity with the noble goal of improving web security and raising awareness of some of the most common threats online, the Open Web Application Security Project (OWASP) faces a nearly insurmountable task, as evidenced by the fact that its list of the Top 10 Most Critical Web Application Security Risks still has a 15-year-old concern sitting at the very top, the persistent yet easy-to-defend-against SQL injection.

Web Application Firewall

Describing a way for hackers to access, change, or delete information from databases, the SQL injection technique was at the heart of data breaches at NASA and the FBI (1.6m accounts), Sony Pictures (1m), the forum of video game DOTA 2 (1.9m), Adobe (150,000), Patreon (15GB of user data), and hundreds of other companies around the world, despite the fact that solutions exist to deter or defend against them.

For example, using a web application firewall (WAF), businesses can filter web traffic through a cloud-based barrier, meaning that nefarious traffic is weeded out before it can reach critical systems. WAFs are increasingly available for properties both large and small.
“No lock 2” (CC BY 2.0) by Jens E.B

Girl on computer

GitHub

SQL injections have no real business causing issues for web users in 2017 but the blame arguably lies more with poorly trained developers than with companies themselves. An article in the Inquirer recently intimated that online PHP tutorials on GitHub, themselves written by programmers in various fields, had more than one hundred different security flaws in them. It’s a humiliating statistic that almost guarantees the permanence of SQL injections.

There’s also much to be said for the negative influence of corporate culture. For example, in an environment in which company chiefs don’t get bonuses if they miss important deadlines, cutting corners and skipping QA testing on new software is a common practice. In such a scenario, it’s easy to see how code vulnerabilities aren’t fixed and backdoors into databases get left behind on commercial websites.

Cross-site Scripting

android security

Continuing down the OWASP list, the situation doesn’t improve, with the second-most common security flaw involving broken authentication and session management. Put another way, it’s the failure to protect user credentials, which happens in cases such as sending sensitive information over unencrypted connections, making session IDs (a number that identifies an individual user) visible in URLs, or by leaving password recovery features unsecured.
“Checking Code” (CC BY 2.0) by boris.baldinger

OWASP’s third most dangerous threat is XSS or cross-site scripting, a bogeyman common to WordPress sites – unprotected plugins, in particular. Another injection technique, XSS attacks occur when a malicious user sends computer code to somebody else, often to their browser. Once the code is executed, the hacker can gain access to browser-relevant information like cookies or force the user to visit a site where malware is hosted or a phishing attempt could take place.

The above in mind, and with no hint that SQL injections are going away, the OWASP threat list is evidently a rogue’s gallery of careless practice on the part of developers – and something that’s worth being embarrassed about.


Tech News, Reviews, Tips and Tricks

Tags: , ,


About the Author



Leave a Reply

Your email address will not be published. Required fields are marked *

Back to Top ↑