Whether it’s athletes, movies, or new music, most of the time cracking a list of the top 10 is something to be celebrated. When isn’t it? When the list in question is all about web application security risks, a.k.a. potentially devastating vulnerabilities that have the potential to cause massive problems for organizations and users alike.
That’s when things get a whole lot scarier due to the potential risk of such attacks on web applications, the increasingly popular pieces of software that run on web servers, rather than locally on home or work devices.
Organizations need to be aware of these risks — and how tools like a Web Application Firewall may be able to help.
The Open Web Application Security Project
The nonprofit Open Web Application Security Project (OWASP) periodically puts together a list of the top 10 security weaknesses with web applications, using a combination of public comment, in-depth data analysis, and surveys. While the list makes sobering reading, it’s also vitally important because it highlights the various shifts taking place on the cyber security landscape as some threats ramp up and others begin to recede.
In the latest list, the number one spot was taken by access control misconfigurations. This problem takes place more frequently than any other security issue involving web apps.
Others included cryptographic failures (lack of proper encryption measures), code injection attacks (in which a bad actor introduces code into a computer program to change the way it operates), insecure design, security misconfigurations, vulnerable and/or outdated components (epitomized by failure to properly patch software), identification and authentication failures, software and data integrity failures, security monitoring and logging failures, and server-side request forgery (in which bad actors abuse server functionality so that it accesses or otherwise manipulates server-side information that wouldn’t usually be accessible by an attacker.)
A constant state of flux
The cyber attack landscape is in a constant state of flux, as attackers seek novel ways to attack victims. As new defenses are mounted, so too do those on the bad side of the wall try and find fresh ways to abuse newly discovered (or unpatched) flaws and other vulnerabilities that exist in software.
The OWASP top 10 list makes this clear, by highlighting how different attack vectors slide up and down the rankings. For instance, in the latest report, cryptographic failures and security misconfigurations rose up the rankings as these became more common weaknesses exploited in potential attacks. Meanwhile, other categories were expanded in scope and shifted around (“insecure design,” for example, was a new entry for 2021), reflecting the undulating security landscape.
Compiling a list of vulnerabilities is interesting for industry watchers. For those who are operating web applications, however, it’s of far more than just academic interest: It’s a useful piece of instruction regarding how you should be protecting yourself. Like getting a list of the most common ways burglars break into a home, this should be used as a timely reminder of where organizations and businesses should be focusing their protection efforts. Simply put, they need to ensure that they are addressing these potential vulnerabilities within their own web apps.
More importantly, though, organizations need to make sure that they are proactively (not reactively) making application security a central part of their operations. It should be integral at every stage of the development of new software — starting with design and moving through implementation, internal testing, release, and then maintenance. Getting rid of the flaws highlighted in the OWASP top 10 list is a good start, but making sure that this way of thinking about web application security permeates every aspect of an organization should be the real goal. By doing this, organizations can ensure that they are doing right by their users on every level.
Protecting against attacks
Not every organization has the cyber security skills to solve all of these problems, of course. Being talented developers is one thing, but having the full-time employees capable of solving these issues is another. For that reason, many organizations will bring in outside experts — and tools — to help. Fortunately, there’s no shortage of help available.
As far as assistive technology is concerned, one tool every organization worth its salt (or should that be silicon?) should consider is a Web Application Firewall (WAF). A WAF, as its name implies, is designed to protect web applications against cyber attacks, acting as an invaluable safeguard. WAFs can protect against many of the issues outlined by the OWASP top 10 list. It does this through the monitoring, filtering, and blocking of bad HTTP/S traffic on its way to a web application, while also blocking unauthorized data from exiting the app. A WAF utilizes a set of policies that allow it to figure out which traffic to consider malicious and which traffic to consider safe. It’s one of the smartest investments an organization can make.
Threats against web applications aren’t going away. However, by doing your utmost to protect against potential vulnerabilities, organizations can help mitigate the worst of these attacks — all while building a cyber security aware culture to be proud of.