OWASP stands for “Open Web Application Security Project” is a non-profit charitable organization focused on improving the software security. The Mission of QWASP is very transparent as they want to make the software security visible in order to let the organizations and individuals able to take informed decision about true software security risk.
It Provide some additional information on “How to assess the risks for your web application” This release discusses the general probability and outcome factors that are used to categorize the typical severity of the risk. It then presents guidance on how to verify whether you have problems in this area, how to avoid them, some example flaws, and pointers to links with more information. The ultimate endeavor of the same is to educate developers, designers, architects, managers, and organizations about the consequences of the most important web application security weaknesses. The Top 10 literally gives us basic techniques to protect against these high risks problem areas – and also provides guidance on where to go from here.
A1 – Injection: when untrusted data is sent to an interpreter as part of a command or query the Injection flaws, such as SQL, OS, and LDAP injection, occur. The attacker’s unfriendly data can trick the interpreter into executing unintended commands or accessing unauthorized data.
A2 – Cross-Site Scripting (XSS): whenever an application allows untrusted data and sends it to a web browser, resultantly XSS flaws occur. Also it is occurred because of without proper validation and escaping. The user session can get easily hijacked as XSS allows attackers to execute scripts in the victim’s browser, deface web sites, or redirect the user to malicious sites.
A3 – Broken Authentication and Session Management: Authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, session tokens, or exploit other implementation flaws to assume other users’ identities.
A4 – Insecure Direct Object References: when developer exposes an compass reading to an internal implementation object, such as a file, directory, or database key, a direct object reference occurs. Attackers can operate these references to access unauthorized data without an access control check or other protection.
A5 – Cross-Site Request Forgery (CSRF): A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.
A6 – Security Misconfiguration: A platform having good security is required of secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform having good security. All these settings should be defined, implemented, and maintained as many are not shipped with secure defaults. This includes keeping all software up to date, including all code libraries used by the application.
A7 – Insecure Cryptographic Storage: Sensitive Data such as credit cards, SSNs, and authentication credentials, must be properly protected with appropriate encryption or hashing. Attackers may steal or modify such weakly protected data to conduct identity theft, credit card fraud, or other crimes.
A8 – Failure to Restrict URL Access: Checking URL access rights before depiction protected links and buttons, this is something many web applications do. However, whenever these pages are accessed, applications need to perform similar access control checks or attackers will be able to forge URLs to access these hidden pages anyway.
A9 – Insufficient Transport Layer Protection: Authentication, encryption, protection, the confidentiality and integrity of sensitive network traffic are some of the failures point that application frequently does. When they do, they sometime given preference to weak algorithms, use expired or invalid certificates, or do not use them correctly.
A10 – Unvalidated Redirects and Forwards: Web applications often readdress and forward users to further pages and website, the destination pages determined by the use of untrusted data . Attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages if the victim uses the system without validations1.
Konstant has an immense belief that Web Application security has no other ways. Konstant has already established an effective capability for securing their application. Here, we do understand the increasing attacks and regulatory pressures. We are handling the enormous volume of vulnerabilities and establishing the application security program to gain insight and improve security across their application portfolio, same suggested by OWASP.
Konstant is adhering of listed points in order to sideline the risks from Web Application:
» Data Validation
» Authentication and Password Management
» Authorization and Access Management
» Session Management
» Sensitive Information Storage or Transmission
» System Configuration Management
» General Coding Practices
» Database Security
» File Management
» Memory Management
» Compact, but comprehensive checklist format
» Focuses on secure coding requirements, rather than on vulnerabilities and exploits
» Includes a cross referenced glossary to get developers and security folks talking the same language
Konstant has set some parameters following for the Database Security:
» We are using strongly typed parameterized queries. Parameterized queries keep the query and data separate through the use of placeholders. The query structure is defined with place holders and then the application specifies the contents of each placeholder.
» Utilize input validation and if validation fails, do not run the database command.
» Variables are strongly typed.
» Escaping Meta characters in SQL statements.
» The application should use the lowest possible level of privilege when accessing the database.
» Use secure credentials for database access.
» Do not provide connection strings or credentials directly to the client. If this is unavoidable, encrypted them.
» Use stored procedures to abstract data access.
» Turn off any database functionality (e.g., unnecessary stored procedures or services).
» Eliminate default content.
» Disable any default accounts that are not required to support business requirements.
» Close the connection as soon as possible.
All the departments at Konstant are working efficiently together in order to achieve application security including security and audit, software development, and business and executive management. It requires security to be visible, so that all the different players can see and understand the organization’s application security posture. Konstant focuses on the activities and outcomes that actually help improve enterprise security by reducing risk in the most cost effective manner.
Nitin is writer cum project analyst (Project owner) cum Coffee Addict of our team, who finds solace in reading and writing. He loves expressing his thoughts and views on current technology especially on web and mobile application development. In his spare time you can also find him cooking for family and friends.
Or send us an email at: [email protected]
