As web applications are becoming increasingly more complex and dynamic, so are the
malicious actions taken on them. The security of a web application or service is vital to maintain
proper function of the application, protect the users of the application, and protect the data
transferred through or stored by the web application. Every application has vulnerabilities, and
being able to detect them and protect against threats is the first step in protecting information
through web application security.
In an effort to raise awareness of threats to software, and to enhance the security of
applications, the Open Web Application Security Project (OWASP) started the OWASP Top Ten
Project that “represents a broad consensus about what the most critical web application security
flaws are”. This project details the most common risks to applications, educating others on how
to identify security vulnerabilities and steps to prevent, or mitigate, threats to web applications
and software. As of 2013, OWASP has identified the following as the top 10 web application
security risks:
1. Injection
2. Broken Authentication and Session Management
3. Cross-Site Scripting (XSS)
4. Insecure Direct Object References
5. Security Misconfiguration
6. Sensitive Data Exposure
7. Missing Function Level Access Control
8. Cross-Site Request Forgery (CSRF)
9. Using Components with Known Vulnerabilities
10. Unvalidated Redirects and Forwards
This list does not include all of the risks to web applications, and not all of these risks pertain to
individual applications.
The purpose of this blog is to provide knowledge and understanding of the web application
security standards today. Follow us as we answer the questions relevant to securing
information on the world wide web:
• What is a threat?
• How do you detect breaks in the security of a web application/service?
• What steps can be take to protect information?
Knowing the web application, and knowing the users, will help identify relevant risks. The most
powerful tool in securing an application is to continuously improve the security.
SE·CU·RI·TY: procedures followed or measures taken to ensure the safety of a state or organization.
Subscribe to:
Post Comments (Atom)
OWASP's top 10 is a good list. Maybe we can use it to design a 10 module course. How many of these involve programming?
ReplyDeleteI find it interesting that a lot of security risks start in the organization. By that I mean that a lot of them are not caused by outsiders. Of course, outsiders cause threats, but a lot of type of threats are caused accidentally.
ReplyDeleteI Agree with Prof. Zheng: the list of top 10 security threats is a great resource. It's definitively a good starting point for us to start doing our own research!
I was extremely impressed with your blog and the owasp.org website. I am a strong advocate of simplicity whenever possible when it comes to technology. When I found the "Cheat Sheet" security guidance section for those new to security development created by experts, it was very refreshing. Good stuff!
ReplyDeleteKerrie Scott, CleverAnalytics
Prof. Zheng, I highly believe it is possible to build a course on these risks. And each risk can require unique security mechanisms, and all of them could involve programming! You can write a program from both sides of the attack as well (security mechanism vs. hacking software). Many of the tools can transfer over to implement protection from other risks as well.
ReplyDeleteTony, I agree that there are a significant amount of security risks that begin within the organization. But we must never discredit the threat from the unknowns.
ReplyDeleteOWASP's top 10 is a great starting point, and there are several companies who have also conducted research that we will be mentioning as we blog!
Great post! The popularity of websites is resulting in the growth of web threats. Web 2.0 websites increases the vulnerability of the Web due to use of modern web technologies nowadays. While users benefit from more interactive and dynamic web applications, they are also exposed to security risks inherent in client-side processing.
ReplyDelete