Cybersecurity: Data on Vulnerabilities in Web Applications
Thursday September 27, 2018
At the speed that information travels, it’s easy to forget that the Internet is relatively young. With the potential for exponential growth, above all the negative foresight, we can start to see the benefits of the Internet when data is used to progress technology; and humanity as a whole.
Cybersecurity projects dedicated to analysis, development, and research of vulnerabilities are now working alongside industry leaders and corporations such as Cisco Talos, Google, and IBM with the intent to purposefully expose design flaws. The efforts to essentially break software intentionally appears malicious and rude in nature. However, these deliberate attacks provide transparency, promoting security strengthening from potential threats. In practice, it’s better the good guys find a flaw before the bad guys exploit it. Zero-day vulnerabilities are provided to vendors prior to public disclosure, giving developers the opportunity to implement a patch. The idea is to work together, as corporations such as Google partner with free software projects such as the GNU Project, that provides a platform for open source projects improves upon.
Using Analytical Data to Protect Users
Open source projects are largely community driven, and many projects are a product of member development and research contributions. The Open Web Application Security Project, abbreviated as OWASP, is a not-for-profit organization dedicated to Web Application security. Providing Web App security and analytical data, this open source community has a more direct effect on the server level. While larger corporations like Cisco, Google, and IBM operate on the cutting edge, projects like OWASP has compiled a Top-10 Security Risks in Web Applications using data gathered in 2017.
Top Cyber Security Risks
- Injection: SQL, XML Parser, OS commands, SMTP headers
Injection-type attacks increased significantly—up 37 percent in 2017 from 2016. Code injection attacks can comprise an entire system, taking full control. SQL injection breaches the database, querying the most vital component that often houses personal information.
- Authentication: Brute force, Dictionary, Session Management attacks
Weak passwords grow more susceptible to dictionary attacks as word lists continue to inflate. Refrain from setting special character limit and max length values that discourage password complexity. Successful authentications generate random session IDs with an idle timeout.
- Security Misconfiguration: Unpatched flaws, default accounts, unprotected files/dirs
Errors were at the heart of almost one in five breaches.
- XML External Entities: DDoS, XML uploads, URI evaluation
CMS using XML-RPC, which include WordPress and Drupal, vulnerable to remote intrusion. There have been many instances of pingback attacks used to send DoS/DDoS traffic. In most cases, the XML-RPC files can be removed completely. XML processors can evaluate URI, which can be exploited to upload malicious content.
- Insufficient Logging & Monitoring
Preventing irreparable data leaks requires awareness. 68% of breaches took months or longer to discover. Logging and monitoring alerts are essential for recording irregularities.
Future of Cyber Security
Knowledge of the risks is the best defense. Preparedness of the seemingly inevitable attack is the greatest asset in a world network crawling with vulnerabilities. It’s no question that security starts with the individual. The majority of IT professionals agree that related courses should be a requirement. Vulnerabilities will occur as technology progresses, as a community, we can see the importance of data and analytics in innovation.
Explore GigeNET’s DDoS Protection services or chat with our experts now to create a custom solution.