Security is fortunately taken very seriously in web development. There are many security experts and researchers who work extensively on the topic and share their findings with the community. A good source to get information about security related topics for web applications is the OWASP® — Open Web Application Security Project — Foundation. In addition to information, news and training on security-related topics, OWASP also provides the top ten web application security risks list — a listing of the ten most critical security vulnerabilities in web applications. We want to present this list here to raise awareness about it, but also to give an insight into what security precautions and considerations are taken into account in each of our projects.
Top Ten Security Risks #
Top Ten Security Risks In the following, we provide an overview and a summarized description of the current top ten security risks on the web. Our primary goal is to raise awareness of these risks without going into too much technical detail. If the topics interest you, we recommend following the links to OWASP for more detailed information.
Here they are, the 10 most critical security risks:
1. Broken Access Control #
The number one most critical security risk in modern web projects describes problems or gaps in access control. This means that an application does not check permissions or does not check them sufficiently. As an example of a broken access control problem, you can think of a delete button that is disabled on the frontend for the user, but that is not checked on the server side. When a user manually activates and clicks the button, the resource is deleted, even though that user would not have been authorized to delete it. Access control issues were found on 94% of the tested web applications, making it the most widespread vulnerability (among the tested applications).
More information about Broken Access Control can be found here.
2. Cryptographic Failures #
The second most critical risk involves the encryption of sensitive data. This includes, among other things, the missing or insufficient encryption of data such as personal data according to the GDPR, credit card data or financial data (both in communication and storage), the use of outdated or weak encryption algorithms, as well as the improper storage of security keys and certificates.
More information about Cryptographic Failures can be found here.
3. Injection #
Injection roughly describes the infiltration of malicious code into an application or system. This type of risk arises primarily when input from users and parameters are not or not sufficiently validated and filtered. Well-known examples of injection attacks are so-called SQL injections. Here, an attacker uses a manipulated parameter to cause an SQL database query to request additional or different information than intended.
More information about Injection can be found here.
4. Insecure Design #
Insecure Design describes a broad category of risks and problems that occur in the planning of an application. This category primarily describes risks that arise from incorrect assumptions or incomplete requirements. An example of this is the use of security questions and answers in the password reset process. The use of questions and answers is a security risk even if implemented perfectly and without errors.
More information about Insecure Design can be found here.
5. Security Misconfiguration #
Security misconfiguration is another broad category that groups together many different problems. In general, these are problems where individual parts of a system are vulnerable to attack due to incorrect or incomplete configuration. Examples in this risk category include missing or incorrectly configured services such as cloud services, web servers, enabled or installed but unnecessary services, applications or ports, unchanged default usernames and passwords, and outdated or not updated software.
More information about Security Misconfiguration can be found here.
6. Vulnerable and Outdated Components #
Vulnerable and outdated components covers the risk caused by external plug-ins, packages and systems if they are not regularly checked and updated at regular intervals. However, the process itself of ensuring that vulnerabilities and updates are detected continuously and that essential updates are applied is also considered a risk factor here.
Further information on Vulnerable and Outdated Components can be found here.
7. Identification and Authentication Failures #
This risk describes the authentication of a user that has not been verified or secured sufficiently. This item also summarizes a number of problems, all of which can lead to an attacker being able to illegitimately pretend to be a user.
Further information on Identification and Authentication Failures.
8. Software and Data Integrity Failures #
This describes a number of security issues, such as using plugins, libraries and modules from insecure sources or CDNs, insecure automated pipelines or insecure automatic updaters. These issues can allow attackers to inject malicious code into the application.
More information on Software and Data Integrity Failures can be found here.
9. Security Logging and Monitoring Failures #
This security problem describes the missing or insufficient logging and monitoring of activities in the application. More specifically, the resulting problems of not being able to detect and respond to data leaks and intrusions.
Further information about Security Logging and Monitoring Failures.
10. Server-Side Request Forgery (SSRF) #
An SSRF vulnerability occurs when a server-side web application is tricked into loading content from a URL specified by the user without sufficiently checking this URL. This can allow an attacker, for example, to read settings or reach internal services that should not be publicly accessible.
Further information about Server-Side Request Forgery (SSRF).
IT Security as an Important Component in Every Project #
With this article we wanted to create awareness and point out potential vulnerabilities in web projects. Our focus at bitperfect is clearly on the development of customized web and software solutions. Although IT security is not our core area, it is an essential aspect that is considered and included in each of our projects in order to create robust solutions for our clients.