Organizations can be very good about their security in general and somehow forget about the security of their websites. This is curious, if you think of it. The Website is out there for everybody to access and therefore has special problems. Nevertheless, it is so.
Why does this happen? The main reason seems to be that web hosting, design and development are often separate from IT. The Communications Department may work independently with an outside consultant. Perhaps there are no policies governing Web development. The organization may assume that their hosting company is paying more attention to security than it is. For whatever reason, when we start asking about SQL injections, cross-site scripting, or even broken authentication, we often get answers like, “I think the developer checked for that,” with no idea of what went on.
What to do? If you’re working with a security consultant, ask the consultant to assess the website. If you want to know whether the consultant is doing the right thing, or if you are ready to get your own hands dirty, learn about, and learn from, OWASP.
OWASP stands for the Open Web Application Security Project. It is a group of volunteers who have been working for years to develop information on best practices for developing and using web applications. It wants to improve the security of web application software by creating testing software, test environments, knowledge frameworks, lists of top threats, and other very helpful stuff. They can be found at www.owasp.org.
Top 10 Web Application Security Risks
Here is a list of the Top 10 Application Security Risks OWASP has found. How comfortable are you that your website’s bases are covered against these?
1. Injection flaws, such as SQL, NoSQL, OS and LDAP injection.
2. Broken Authentication related to authentication and session management
3. Sensitive Data Exposure
4. XML External Entities (XXE) with problems because of poorly configured or old XML processors
5. Broken Access Control, when authenticated users’ actions are not properly restricted.
6. Security Misconfiguration, which includes not patching in time, unchanged default configurations, or even verbose error messages with data useful to hackers
7. Cross-Site Scripting, which allows attackers to execute scripts in the victim’s browser
8. Insecure Deserialization, which can lead to remote code execution or various attacks.
9. Components with Known Vulnerabilities, such as libraries, frameworks or other software modules
10. Insufficient Logging and Monitoring which gives malware or attackers more time to attack systems
OWASP also provides a lot of good scanning tools for checking out your website. They are relatively easy to use. All in all, it’s a good place to begin examining what may be a forgotten part of your infrastructure.