Open Source Group Lists Top Ten Security Risks
Open Source Group Lists Top Ten Security Risks
The 10 most critical Web application security problems which require "immediate" attention were revealed in a report from open source group, Open Web Application Security Project.
The open source community project, Open Web Application Security Project (OWASP) said it wants to focus government and private-sector attention on common weaknesses “that require immediate remediation".
The security issues listed are "not new", but are "surprisingly common" and can be exploited by unsophisticated attackers with easily available tools, said Washington DC-based OWASP, staffed by volunteers from across the world.
"In fact, some [security issues] have been well understood for decades. Yet for some reason, major software development projects are still making these mistakes and jeopardising not only their customers' security, but also the security of the entire Internet," OWASP's Web site states.
The list is also intended to be used by development teams and managers during project planning. OWASP said the list is intended to educate vendors to avoid the same mistakes that have been repeated in other web applications and to give consumers a guideline of expectations for web application security when selecting a vendor or rolling out an application.
"When an organisation deploys a web application, they invite the world to send HTTP requests. Attacks buried in these requests sail past firewalls, filters, platform hardening, SSL, and IDS without notice because they are inside legal HTTP requests. Therefore, web application code is part of the security perimeter and cannot be ignored," the report stated.
Added Jeffrey Williams, CEO of web application security firm Aspect Security, "A stunning number of organisations spend big bucks securing the network and somehow forget about the applications."
Peter G. Neumann, moderator of the ACM Risks Forum said, in the OWASP statement: "The underlying reality is shameful: most system and Web application software is written oblivious to security principles, software engineering, operational implications, and indeed common sense."
The top ten vulnerabilities, which focus on categories of problems rather than on specific applications, are:
* Unvalidated parameters: where information from web requests is not validated before being used by a web application. * Broken access control, in which restrictions on authorised users are not enforced. Attackers can exploit these flaws to access other users accounts, view sensitive files, or use unauthorized functions.* Broken account and session management, which leave inadequately protected account credentials and session tokens vulnerable to hijacking. Attackers that can compromise passwords, keys, session cookies, or other tokens can defeat authentication restrictions and assume other users identities. * Cross-site scripting flaws, which can allow the web application to be used to transport an attack to an end user's browser. * Buffer overflows, which can crash an application and allow it to be taken over. Web application components that do not properly validate input can be crashed and, in some cases, used to take control of a process. These components can include CGI, libraries, drivers, and web application server components. * Command injection flows, in which improper commands are passed by the application to another system for execution. If an attacker can embed malicious commands in these parameters, the external system may execute those commands on behalf of the web application. * Error-handling problems, which can provide an attacker with unintended information or deny service when errors occur * Insecure use of cryptography, which provides weak protection when cryptography code is not properly integrated * Remote administration flaws, in which administrative functions are not well protected, allowing an attacker to gain full access to all aspects of a site using a web interface. * Web and application server misconfiguration. Having a strong server configuration standard is critical to a secure web application. These servers have many configuration options that affect security and are not secure out of the box.
The complete report is available on OWASP's Web site.
OWASP, which was created to bring attention to security for online applications, patterned its list on the SANS Institute and FBI top 20 list of network loopholes. Similar to the SANS-FBI list, the OWASP vulnerabilities are well known, but continue to represent significant risk because they are widespread.
Related Articles: