Web applications risks and security Guidelines by OWASP TOP 10 Project
Next gen web applications are more powerful than ever, but that also mean applications have complex code and greater risk of coding flaws leading to security vulnerabilities within the application. Web application vulnerabilities face exploitation by malicious attackers, who are looking for benefits from the activity. Secure network architectures need to constantly evolve to keep up with the latest advanced persistent threats.
Open Web Application Security Project (OWASP) goals
The Open Web Application Security Project (OWASP) is a worldwide organization focused on improving the security of web applications. OWASP periodically publishes the OWASP Top 10 – a consensus list of the top ten most critical web application security flaws. The goal of the Top 10 project is to raise awareness about application security by identifying some of the most critical risks organizations are facing.
Web application attacks as per OWASP Top 10
OWASP identified following top vulnerabilities based on security challenges arising due to Denial of Service to legitimate users, Database compromise, breach of access control, session hijacking and multiple authentications.
Top OWASP vulnerabilities
Apart from above vulnerabilities, OWASP also mentions risks due to Security Misconfigurations, Sensitive Data Exposure and Using components with known vulnerabilities, briefly described as below.
Security Misconfigurations include how configurable settings within the app are handled. Often, applications are developed over existing frameworks (for ex. .NET) but if exploit is discovered for such widely used frameworks, it becomes broadly prevalent security issue and attackers get known starting point to intrude. Common examples include, unprotected files/directories, not enforcing HTTP Strict transport security(HSTS) or missing perfect forward security (PFS).
Security hardening must be performed for all components of web applications, unrequired daemons, libraries must be disabled or removed. Directory browsing, correct folder permissions of files available at different authorization levels must be ensured. Least privilege principle must be followed with role based access.
Sensitive Data Exposure include entities who can gain access to data either stored, in transit or available in caches, often provisioned by HTTP Browsers and databases. The data must be stored encrypted with public key and only the backend applications in trust zone must be allowed to decrypt them with private key. Data protection includes the data at rest, in transit, and even in browsers stored as cache.
Mere preserving data in secure format is not sufficient, since any data stored securely is also retrieved automatically using similar SQL options. The system should keep the data encrypted using a public key, and only allow back-end applications to decrypt them with the private key. All hash information must be salted, else all of the unsalted hashes can be exposed with a rainbow table of pre-calculated hashes.
Using components with known vulnerabilities comprises usage of third party components, framework, libraries or modules in web applications which makes applications vulnerable due to flaws in them. All such components within application inherit full privileges of application and any compromised component thus opens a full-fledged backdoor for the attacker. Exploits are usually known/predetermined prior for such vulnerabilities requiring lesser exploration and easy starting point for attacker.
Recent examples with OpenSSL library, popularly known as Heartbleed bug allowed much trusted encrypted data using SSL/TLS to be compromised. The Heartbleed bug allowed anyone over internet to access memory of the systems protected by the vulnerable versions of the OpenSSL software.
Similarly, widely used Bash shell was also vulnerable, wherein the shell allowed remote attacker to change environment variables which will alter the way processes are run. This exploit is popularly known as ShellShock.
Vulnerability assessment in Agile development cycle
Security issues arise as organizations move towards Agile environments. To improve the protection of web applications, existing DevOps efforts must be extended to include information security to become DevSecOps.
With DevSecOps, organizations are able to monitor, attack, simulate, and identify application security vulnerabilities throughout the CI/CD environments and faster time to market while identifying risks within applications simultaneously.
Static Application Security Testing (SAST) and Source Code Analysis (SCA) functions can be performed during continious integration(CI) cycles, while Dynamic Application Security Testing (DAST) functions are provisioned to monitor production environments during continuous deployments (CD) phase.
Time to discover and resolve application security vulnerabilities will be reduced because of the shorter sprints thereby reducing the window of exposure if code is released to production.
Securing networks for web applications with Juniper SDSN
Applications are often compromised by applying a series of such exploit techniques often combining or leveraging vulnerabilities in networks. A vulnerability in a network will allow a malicious user to exploit a host or an application and vice versa. We have to consider the potential to leverage an exploit by linking vulnerabilities.
Secure web applications rely on secure networks, its thus imperative that networks where the applications are hosted, are secure and are the critical line of defense.
Juniper has always been strong provider of secure networks. Juniper Networks offers industry unique centralized adaptive solution of software defined security networks. It works by stopping the threats faster as threat intelligence feeds from multiple sources are aggregated in common feed deployed in cloud. Security policies are created dynamically in real time based on emerging threat landscape at any given point of time.
This information is analyzed and instantly enforced at multiple points in networks through single enforcement domain to mitigate zero day threats. Every element in the Software-Defined Secure Network thus becomes a becomes a policy enforcement point and is the future of securing networks and web services.
Web application attacks represent the significant risk to an organization and there are potentially limitless exploit techniques possible. The most important design principle for application security is to identify the threats and application’s potential vulnerable areas. Robust security principles and secure coding practices must be applied
at every stage of software engineering practises.Importantly, Security of secure web application must be supported by secure networks.
OWASP represents most critical application vulnerabilities and provides excellent reference point for assessing the application security risks.
We must evaluate our applications if they meet the security best practices and if they protect against inadvertently introduced exploits.