How to Mitigate Risk from Web Application Security Threats
Worried about how H1N1 flu season might put your business operations at risk as employees take time off work to get better? We would remind owners and managers that online data breach season is year-round and it's important to take precautions to mitigate business risk.
What types of web security risks are we referring to? The Open Web Application Security Project (OWASP) has just released its list of to top 10 most critical web application security risks for public commentary. As listed on the OWASP site, they include:
1. Injection flaws, such as SQL, OS, and LDAP injection. Preventing injection requires keeping untrusted data separate from commands and queries.
2. Cross-site scripting (XSS). Preventing XSS requires keeping untrusted data separate from active browser content.
3. Broken Authentication and Session Management. The primary recommendation for an organization is to make available to developers a single set of strong authentication and session management controls.
4. Insecure Direct Object References. Preventing insecure direct object references requires selecting an approach for protecting each user accessible object (e.g., object number, filename).
5. Cross Site Request Forgery(CSRF). Preventing CSRF requires the inclusion of an unpredictable token as part of each transaction. Such tokens should at a minimum be unique per user session, but can also be unique per request.
6. Security Misconfiguration. Establish a repeatable hardening process that makes it fast and easy to deploy another environment that is properly locked down.
7. Failure to Restrict URL Access. Preventing unauthorized URL access requires selecting an approach for requiring proper authentication and proper authorization for each page.
8. Unvalidated Redirects and Forwards. Avoid using redirects and forwards.
9. Insecure Cryptographic Storage. Encryption is a complicated issue and can't be adequately summarized here. At a minimum, encryption and data backup require extensive planning. Passwords, keys and algorithms must be of a high standard to provide the level of protection your unique organization requires.
10. Insufficient Transport Layer Protection. Providing proper transport layer protection can affect the site design. It’s easiest to require SSL for the entire site. For performance reasons, some sites use SSL only on private pages. Others use SSL only on ‘critical’ pages, but this can expose session IDs and other sensitive data.
To learn more about how PCIS can prepare your organization against web application security threats, including our Devfense WSA Diagnostic service, email info@pcis.com
Look forward to news and opinions about the latest tech trends, online and network security, identity management and other important issues in the tech sector from the Pacific Coast Informer.
Other ways to stay connected
How to Subscribe/Unsubscribe to the Pacific Coast Informer
SUBSCRIBE: To subscribe to the Pacific Coast Informer, send a blank email message with subject line "SUBSCRIBE-PCINFORMER" to informer@pcis.com
UNSUBSCRIBE: If you do not wish to receive future issues of the Pacific Coast Informer, send a blank email with subject line "UNSUBSCRIBE-PCINFORMER" to:informer@pcis.com and we will promptly remove you from our distribution list.
WE WANT YOUR FEEDBACK Our purpose for providing this free service is to keep our clients and business contacts informed of technology developments. This information can help them resolve common problems and achieve their full potential by strengthening their business processes and infrastructure. Your input is important to us and we welcome your ideas for new features and how we can continue to improve our service to you. Send your comments and suggestions to informer@pcis.com or contact us directly at 604.844.7558
|
