In my opinion, one of the biggest risks to web application security is SQL Injections. To mitigate the risk, vulnerability & penetration testing should be used. Tools such as vulnerability scanners & source code analyzers can be useful in achieving this. Front-end validation can also mitigate the risk.
Spam clogs inboxes, slows email clients, reduces productivity, and generally annoys users.
Spam can also be used to launch attacks and conduct reconnaissance on a target. For example, sending spam messages to accounts with auto-responders can yield information about active users and the company, e.g. “This user is no longer with the company. Please contact the front desk at…” . It can also show the attacker how the company responds to spam messages, e.g. blocking, filtering, etc. This can allow the attacker to probe for weaknesses under the guise of “benign” spam email.
Spam is unwanted information that may contain advertising, malicious, pornographic, and other content. Spam may be related to the security and protection of information and data. An influx of spam into email boxes can cause legitimate mail to be overwhelmed, employees may take longer to delete junk emails or be distracted and less productive. Malicious links hidden in spam emails, Trojans, and spyware can attack computers and cause data leaks or company network failures.
Adjusting the configuration options within the browser improves browser security. For example, most browsers offer options that control how the browser engages with sites and what features are allowed to run. Disabling scripts and Active-X from running by default improves the security of the browser. In addition, enabling pop-up blockers can prevent users from clicking malicious content.
I agree a user needs to optimize the configuration options and keep the browser security up-to-date by installing the timely updates. Disabling the scripts and active-X from running and stay clear unsecured sites.
Great points! Additionally, security awareness while surfing the web is important. Checking URLs before clicking on links, avoiding suspicious-looking websites, being cautious about entering private or confidential information, only downloading trusted files, etc. is important in security on the browser side as well.
On top of what everyone else has mentioned, there are a few more recommendations I have, as well. Users should be sure to keep their browser of choice actively updated, as while as any browser add-ons. Also, while usually a given, users try to use complex passwords, not repeat the same password on every website they visit, and when possible have multi-factor enabled.
Ensure that the perimeter firewall access control policies and procedures for internal servers or any zones of the organization network are verified before any attacks from outside occur. When configured properly the security devices in the organization. use IDS and IPS to track all packet floods and divide the network segmentation. Follow the Blacklisting and whistling IP ranges, ensure that the remote user’s connectivity via VPN as well.
Great points, Mohammed! Additionally, since the public-facing web application server often has to communicate with an internal server (like a server hosting a database), input validation helps to ensure there isn’t harmful script being sent from the public-facing server to the internal one.
You should apply Multifactor authentication to prevent brute force and credential stuffing, stolen credentials. Also, implement digital identity in agreement with NIST 800-63. Ensure that the pathways used for account registration, credential recovery, and APIs are secured against account record attacks by providing a generic message for all outcomes. Verify the log failures along with alert messages when credential stuffing brute force or other attacks are detected.
Why are custom applications built internally by a firm less secure than third party applications? Why would a firm build an application vs buying one given the security concerns?
The amount of security applied to an internally built custom application really depends on your developers understanding of requirements for security. From my experience, developers main priority is to provide robust functionality within the applications they develop. Typically, security is an afterthought or not even considered. Outsourcing the application to a third-party is usually a good option since the third-party likely has a lot of experience securing other clients applications. Also, if your organization lacks the human resources to develop and subsequently maintain an internally built application than this makes the decision to go with a third-party application even simpler for an organization.
Why does the OWASP top 10 base their data on incidence rates rather than frequency rates during the vulnerability identification process? How/why is this method better?
Hi Bryan,
From my understanding, OWASP Top 10 base their data on incidence rates instead of frequency because it provides them with a better picture of what threats are faced by each application. It does not really benefit them to know the percentage of the application population in one instance of a vulnerability type. Not to mention, frequency-based data collection methods are known to exaggerate the risk of vulnerabilities that are easy to test for and occur frequently in a single application. Focusing on incidence rates is a better method because it corresponds to a risk related view, given the consideration that the attacker needs only one instance to attack an application successfully.
To add to Elizabeth’s point, OWASP mentions that “human-assisted tools” i.e. software that does most of the work scanning applications tends to report all occurrences of each type of vulnerability while a “tool-assisted human” may find different vulnerabilities but they often would not report every single occurrence of each type of vulnerability.
Jason,
I feel it is important to know more as professionals through being up-to-date about current attacks and vulnerabilities also how security controls are best practices to reduce the attack that are critical. Once a security professional have a map of the Attack Surface, Attack surface helps to identify the high risk areas and the remote entry points – interfaces with outside systems and to the Internet – and especially where the system allows anonymous, public access.
These are often where that are most exposed to attack. Then understand what compensating controls needs to be in place, operational controls like network firewalls and application firewalls, and intrusion detection or prevention systems to help protect your application in the below areas:
Network-facing, especially internet-facing code
Web forms
Files from outside of the network
Backward compatible interfaces with other systems – old protocols, sometimes old code and libraries, hard to maintain and test multiple versions
Custom APIs – protocols etc – likely to have mistakes in design and implementation
Security code: anything to do with cryptography, authentication, authorization (access control) and session management
I personally haven’t been involved in remediating or mitigating against any of the risks outlined in the OWASP top 10. However, when my company has third-parties come in to perform penetration tests and web application assessments my team attends the meetings where they present the results/findings to our security risk management team. After attending several of these meetings I’ve noticed a number of SQL injection and cross site scripting vulnerabilities are consistently identified as part of the findings. I believe the root cause is ultimately a lack of consistent input validation as part of the application development process.
Should we apply encryption to all e-mail messages? If not, what situations would be the most applicable? What is the main reason why encrypting e-mail messages is not more prevalent?
I think that we should encrypt all e-mail messages. By encrypting all messages we send out makes our inboxes more secure. By only encrypting messages from time to time might stick out to a hacker and at that point make our message box less secure. I think the main reason encryption for email is not more prevalent is because email was never really meant to use or be encrypted, Email was originally meant to be simple and not secret, on the surface.
I agree with your last point. Email was initially intended to be a simple communications method, and not something that would turn into a commonplace for cyber security attacks, so their systems are typically not secure. I assume email encryption would probably a huge pain for the common sender, and probably not something that they would much care about.
There are a number of threats associated with VoIP including but not limited to caller impersonation and denial of service attacks. DoS attacks can be exploited on phones and a number of different servers in a VoIP network by modifying latency performance. Additionally, caller impersonation has proven to be more effective on VoIP networks than traditional soft phones to perform social engineering attacks.
Hi Michael,
While VoIP offers a third dimension to voice communication, merging the voice and data worlds introduces security risks. There are a couple technical issues involving VoIP that come to mind. Threats that VoIP face range from eavesdropping to denial of service and man-in-the-middle attacks. Unfortunately, VoIP protocols were not designed with security as a primary concern. For example, one of its biggest risks is that there is no encryption involved and if an attack occurs, you can not trace it. By decoding the interception, hackers are able to listen in on calls; obviously, this is problematic considering it is a serious breach of security.
I agree with Elizatbeth that VoIP protocols was not designed with security as a primary concern. For me, it is designed for convenience. The main disadvantage of VoIP compared to traditional lines is that VoIP is completely dependent on the strength of broadband connections. It will affect availability. Also, Elizabeth said, “one of its biggest risks is that there is no encryption involved”. To make VoIP is reliable, it is easier to deal with its availability than confidentiality.
There were a lot of attacks that were mentioned and outlined in this week reading of Boyle and Panko’s book. These attacks ranged from various web server attacks to a few examples of web browser attacks. Is there any attack that stood out to you? If so, which one/s and why?
With regards to web browser attacks on section 8.3 of the textbook, mobile code, consisting of commands written into a webpage stood out to me. I learned that by intercepting client traffic using the man-in-the-middle technique, hackers can modify the original mobile code to be executed on the client’s machine under their credentials. Otherwise, it is also possible for the malicious mobile code to be hosted in an untrustworthy website (which we frequently visit all the time) or it could be permanently injected on a vulnerable webpage.
Hi Joshua,
For me, buffer overflow attacks make me think about security coding. Buffer overflow attacks can come from non-intention. If developers follow OWASP security coding practices, the software applications. web applications will be less vulnerabilities.
I am glad that I asked this question. You two gave some very astounding examples of attacks in this week’s reading. Elizabeth, I like what you said about man-in-the-middle attacks. I am familiar with those from studying the CompTIA Security+. You gave some insight and helped me capitalize on my knowledge of it with your example. Hang, I am also familiar with the buffer overflow attacks, I haven’t studied the material since 2013.. so you two are definitely jogging my memory!
Hi Ornella,
As we know, OWASP Top 10 provides the top 10 most critical web application security risks and these risks are ranked based on the frequency of discovered security defects, the severity of the vulnerabilities, and the magnitude of their potential impacts. Moreover, based on nature of business and cost-benefit analysis, each firm will invest different way in security plan and also accept their own risk appetite. To answer your question, how impact of missing to business continuity is the issue.
What do you think the major reasoning is behind Broken Access Control making the jump to position #1 on OWASP’s top 10, even surpassing Injection attacks, which has been consistently ranked as one of the top cybersecurity threats?
Why do you think the OWASP Attack Surface Cheatsheet highlights unauthorized and high privileged users instead of other users while assessing point of entries and risks categorization?
What is the biggest risk to web applications and how to effectively mitigate that risk?
In my opinion, one of the biggest risks to web application security is SQL Injections. To mitigate the risk, vulnerability & penetration testing should be used. Tools such as vulnerability scanners & source code analyzers can be useful in achieving this. Front-end validation can also mitigate the risk.
What problems does spam create?
Spam clogs inboxes, slows email clients, reduces productivity, and generally annoys users.
Spam can also be used to launch attacks and conduct reconnaissance on a target. For example, sending spam messages to accounts with auto-responders can yield information about active users and the company, e.g. “This user is no longer with the company. Please contact the front desk at…” . It can also show the attacker how the company responds to spam messages, e.g. blocking, filtering, etc. This can allow the attacker to probe for weaknesses under the guise of “benign” spam email.
Spam is unwanted information that may contain advertising, malicious, pornographic, and other content. Spam may be related to the security and protection of information and data. An influx of spam into email boxes can cause legitimate mail to be overwhelmed, employees may take longer to delete junk emails or be distracted and less productive. Malicious links hidden in spam emails, Trojans, and spyware can attack computers and cause data leaks or company network failures.
What can users do to enhance browser security?
Adjusting the configuration options within the browser improves browser security. For example, most browsers offer options that control how the browser engages with sites and what features are allowed to run. Disabling scripts and Active-X from running by default improves the security of the browser. In addition, enabling pop-up blockers can prevent users from clicking malicious content.
I agree a user needs to optimize the configuration options and keep the browser security up-to-date by installing the timely updates. Disabling the scripts and active-X from running and stay clear unsecured sites.
Great points! Additionally, security awareness while surfing the web is important. Checking URLs before clicking on links, avoiding suspicious-looking websites, being cautious about entering private or confidential information, only downloading trusted files, etc. is important in security on the browser side as well.
On top of what everyone else has mentioned, there are a few more recommendations I have, as well. Users should be sure to keep their browser of choice actively updated, as while as any browser add-ons. Also, while usually a given, users try to use complex passwords, not repeat the same password on every website they visit, and when possible have multi-factor enabled.
What measures would you take to protect an internal server/network from attacks on a public-facing server/application-hosting server?
Ensure that the perimeter firewall access control policies and procedures for internal servers or any zones of the organization network are verified before any attacks from outside occur. When configured properly the security devices in the organization. use IDS and IPS to track all packet floods and divide the network segmentation. Follow the Blacklisting and whistling IP ranges, ensure that the remote user’s connectivity via VPN as well.
Great points, Mohammed! Additionally, since the public-facing web application server often has to communicate with an internal server (like a server hosting a database), input validation helps to ensure there isn’t harmful script being sent from the public-facing server to the internal one.
What are the best mitigation methods for hardening a web application with reference to broken authentication attacks?
You should apply Multifactor authentication to prevent brute force and credential stuffing, stolen credentials. Also, implement digital identity in agreement with NIST 800-63. Ensure that the pathways used for account registration, credential recovery, and APIs are secured against account record attacks by providing a generic message for all outcomes. Verify the log failures along with alert messages when credential stuffing brute force or other attacks are detected.
Why are custom applications built internally by a firm less secure than third party applications? Why would a firm build an application vs buying one given the security concerns?
The amount of security applied to an internally built custom application really depends on your developers understanding of requirements for security. From my experience, developers main priority is to provide robust functionality within the applications they develop. Typically, security is an afterthought or not even considered. Outsourcing the application to a third-party is usually a good option since the third-party likely has a lot of experience securing other clients applications. Also, if your organization lacks the human resources to develop and subsequently maintain an internally built application than this makes the decision to go with a third-party application even simpler for an organization.
Why does the OWASP top 10 base their data on incidence rates rather than frequency rates during the vulnerability identification process? How/why is this method better?
Hi Bryan,
From my understanding, OWASP Top 10 base their data on incidence rates instead of frequency because it provides them with a better picture of what threats are faced by each application. It does not really benefit them to know the percentage of the application population in one instance of a vulnerability type. Not to mention, frequency-based data collection methods are known to exaggerate the risk of vulnerabilities that are easy to test for and occur frequently in a single application. Focusing on incidence rates is a better method because it corresponds to a risk related view, given the consideration that the attacker needs only one instance to attack an application successfully.
To add to Elizabeth’s point, OWASP mentions that “human-assisted tools” i.e. software that does most of the work scanning applications tends to report all occurrences of each type of vulnerability while a “tool-assisted human” may find different vulnerabilities but they often would not report every single occurrence of each type of vulnerability.
Does someone need to understand every endpoint in order to understand the Attack Surface?
Jason,
I feel it is important to know more as professionals through being up-to-date about current attacks and vulnerabilities also how security controls are best practices to reduce the attack that are critical. Once a security professional have a map of the Attack Surface, Attack surface helps to identify the high risk areas and the remote entry points – interfaces with outside systems and to the Internet – and especially where the system allows anonymous, public access.
These are often where that are most exposed to attack. Then understand what compensating controls needs to be in place, operational controls like network firewalls and application firewalls, and intrusion detection or prevention systems to help protect your application in the below areas:
Network-facing, especially internet-facing code
Web forms
Files from outside of the network
Backward compatible interfaces with other systems – old protocols, sometimes old code and libraries, hard to maintain and test multiple versions
Custom APIs – protocols etc – likely to have mistakes in design and implementation
Security code: anything to do with cryptography, authentication, authorization (access control) and session management
In your opinion, which risk of the OWASP top 10 is the most difficult to mitigate and why?
I personally haven’t been involved in remediating or mitigating against any of the risks outlined in the OWASP top 10. However, when my company has third-parties come in to perform penetration tests and web application assessments my team attends the meetings where they present the results/findings to our security risk management team. After attending several of these meetings I’ve noticed a number of SQL injection and cross site scripting vulnerabilities are consistently identified as part of the findings. I believe the root cause is ultimately a lack of consistent input validation as part of the application development process.
Should we apply encryption to all e-mail messages? If not, what situations would be the most applicable? What is the main reason why encrypting e-mail messages is not more prevalent?
I think that we should encrypt all e-mail messages. By encrypting all messages we send out makes our inboxes more secure. By only encrypting messages from time to time might stick out to a hacker and at that point make our message box less secure. I think the main reason encryption for email is not more prevalent is because email was never really meant to use or be encrypted, Email was originally meant to be simple and not secret, on the surface.
I agree with your last point. Email was initially intended to be a simple communications method, and not something that would turn into a commonplace for cyber security attacks, so their systems are typically not secure. I assume email encryption would probably a huge pain for the common sender, and probably not something that they would much care about.
What are some of the risk control tactics when it comes to protecting against attacks on e-commerce?
What are some technical issues does Voice over IP (VoIP) pose for a network?
There are a number of threats associated with VoIP including but not limited to caller impersonation and denial of service attacks. DoS attacks can be exploited on phones and a number of different servers in a VoIP network by modifying latency performance. Additionally, caller impersonation has proven to be more effective on VoIP networks than traditional soft phones to perform social engineering attacks.
Hi Michael,
While VoIP offers a third dimension to voice communication, merging the voice and data worlds introduces security risks. There are a couple technical issues involving VoIP that come to mind. Threats that VoIP face range from eavesdropping to denial of service and man-in-the-middle attacks. Unfortunately, VoIP protocols were not designed with security as a primary concern. For example, one of its biggest risks is that there is no encryption involved and if an attack occurs, you can not trace it. By decoding the interception, hackers are able to listen in on calls; obviously, this is problematic considering it is a serious breach of security.
I agree with Elizatbeth that VoIP protocols was not designed with security as a primary concern. For me, it is designed for convenience. The main disadvantage of VoIP compared to traditional lines is that VoIP is completely dependent on the strength of broadband connections. It will affect availability. Also, Elizabeth said, “one of its biggest risks is that there is no encryption involved”. To make VoIP is reliable, it is easier to deal with its availability than confidentiality.
There were a lot of attacks that were mentioned and outlined in this week reading of Boyle and Panko’s book. These attacks ranged from various web server attacks to a few examples of web browser attacks. Is there any attack that stood out to you? If so, which one/s and why?
With regards to web browser attacks on section 8.3 of the textbook, mobile code, consisting of commands written into a webpage stood out to me. I learned that by intercepting client traffic using the man-in-the-middle technique, hackers can modify the original mobile code to be executed on the client’s machine under their credentials. Otherwise, it is also possible for the malicious mobile code to be hosted in an untrustworthy website (which we frequently visit all the time) or it could be permanently injected on a vulnerable webpage.
Hi Joshua,
For me, buffer overflow attacks make me think about security coding. Buffer overflow attacks can come from non-intention. If developers follow OWASP security coding practices, the software applications. web applications will be less vulnerabilities.
Hello Elizabeth and Hang,
I am glad that I asked this question. You two gave some very astounding examples of attacks in this week’s reading. Elizabeth, I like what you said about man-in-the-middle attacks. I am familiar with those from studying the CompTIA Security+. You gave some insight and helped me capitalize on my knowledge of it with your example. Hang, I am also familiar with the buffer overflow attacks, I haven’t studied the material since 2013.. so you two are definitely jogging my memory!
Is using Leap files to increase e-mail security or a technique to mitigate risks to third party vendor?
What would be the issue if one of the 10 categories of OWASP is missing when adopting an application security standard?
Hi Ornella,
As we know, OWASP Top 10 provides the top 10 most critical web application security risks and these risks are ranked based on the frequency of discovered security defects, the severity of the vulnerabilities, and the magnitude of their potential impacts. Moreover, based on nature of business and cost-benefit analysis, each firm will invest different way in security plan and also accept their own risk appetite. To answer your question, how impact of missing to business continuity is the issue.
What do you think the major reasoning is behind Broken Access Control making the jump to position #1 on OWASP’s top 10, even surpassing Injection attacks, which has been consistently ranked as one of the top cybersecurity threats?
Why do you think the OWASP Attack Surface Cheatsheet highlights unauthorized and high privileged users instead of other users while assessing point of entries and risks categorization?