Many web applications have security
issues due to the mistakes done by developers and system implementers. The
types and amount of vulnerabilities are increasing with the latest
technological improvements.
Some of major vulnerabilities are:
SQL Injection - Back-end databases are compromised by the threat
Agents sending malicious commands via the web Application to the command
interpreter.
Cross Site scripting (XSS) - Attackers take advantage of poor input validation in
Web forms to return malicious code to the web client browser.
Insecure direct object reference - Attackers log in as an authorized system user, then change a parameter value that refers to another account, which can provide access to other accounts that they are not authorized to view.
Information leakage - An application vulnerability in which an application exposes sensitive data, such as technical application information, information about the surrounding network environment or user-specific data. Network environment or user-specific data.
Insufficient anti-Automation - This is an application vulnerability that allows an
Attacker to automate a process that is intended for Manual execution by a single user, allowing the attacker to overwhelm system resources, frequently resulting in what is commonly known as a denial of
Service (DOS) attacks.
Cross Site scripting (XSS) - Attackers take advantage of poor input validation in
Web forms to return malicious code to the web client browser.
Insecure direct object reference - Attackers log in as an authorized system user, then change a parameter value that refers to another account, which can provide access to other accounts that they are not authorized to view.
Information leakage - An application vulnerability in which an application exposes sensitive data, such as technical application information, information about the surrounding network environment or user-specific data. Network environment or user-specific data.
Insufficient anti-Automation - This is an application vulnerability that allows an
Attacker to automate a process that is intended for Manual execution by a single user, allowing the attacker to overwhelm system resources, frequently resulting in what is commonly known as a denial of
Service (DOS) attacks.
How to be protected from above vulnerabilities?
Adhere to SDLC process
Business/ executive support -
Training- Training g to secure code practices.
Standards and effective code review is required
Policies and standards- web application vulnerabilities must be
appropriately framed by a complete set of security
Technical Controls -
Web servers that serve internet clients are typically on a protected or
screened subnet, known as a DMZ.
Legacy Code - legacy codes are vulnerable to many attacks
Effective incident response capabilities -
The time and cost of training developers in secure coding
techniques can create concerns/pushback .
• Introducing secure code can add to application response time,
creating latency that may need to be compensated for in
• Vulnerability scanning can impact network traffic and
application performance. Information security teams must work with the business and operations to
determine optimal time frames and methods for scanning.
• All organizations at one time or
another must make emergency code updates. Follow-up code review, vulnerability
Changes are reviewed
for vulnerabilities as quickly as feasible.
• Source code must be stored securely and monitored for movement
and change as is done for any other critical
Intellectual property.
No comments:
Post a Comment