Top Common Application Security Risks

Zeeshan Baig
Dec 26, 2020 · 4 min read
Image for post
Image for post
www.datanextsolutions.com

In today’s world, an online presence is not only required but a necessity for any modern business but going online also comes with many challenges, any loopholes in application security can lead to various cyber-attacks thus ruin the reputation of any organization.

OWASP The Open Web Application Security Project is an open-sourced, community that is dedicated to providing organizations around the world with free, practical resources to support application security.

One of the main projects of OWASP is to monitor top security risks that exist in today’s world.

In this post, I will summarize them as a quick overview, In my future posts, I will share how to actually mitigate these risks in the AWS cloud (coming soon).

Security Misconfiguration

Probably the most common issue, potentially result of insecure default configurations, incomplete setup, open cloud storage, misconfigured HTTP headers, or exposing sensitive data such as PII or PHI in logs.

In order to prevent security misconfiguration issues, organizations should not think of it as a one-time affair, it is more like a continuous practice by keeping an eye on the configurations, patching systems, updated OS and software in a timely fashion.

Injection

The injection was used to be called SQL Injection but now not limited to SQL but NoSQL, LDAP, OS, and others. Basically, any loopholes in the application code or logic that allows the hacker to access data without authorization.

Using proper query techniques such as using bind variables, firewalls and other configurations could help to avoid injection issues in the application.

Cross-Site Scripting (XSS)

XSS is more like an injection into a webpage, XSS occurs whenever an application includes untrusted data into a webpage without proper validation. XSS allows hackers to update an existing page by injecting their own HTML or JavaScript code into the application, which could potentially hijack user sessions, deface the website, or redirect users to malicious sites.

Using proper firewalls and configurations you can avoid XSS issues in your applications.

Broken Authentication

Broken authentication is one of the biggest issues these days. It allows hackers to compromise passwords, IDs, keys, or tokens and gain access to your data.

Using Multi-Factor Authentications (MFAs) and other techniques you can improve the authentication process, even your primary authentication process is weak.

Data Exposure

Many applications do not properly protect sensitive data from being exposed, such as Personally Identifiable Information (PII), Protected Health Information (PHI), financial and other sensitive data. Attackers may steal or modify sensitive information to conduct cyber crimes such as credit fraud, identify theft, and others.

Implementing strong encryption, security, authentication, and authorization controls could protect sensitive data from being unintentionally exposed.

Insufficient Logging and Monitoring

Insufficient logging and monitoring could allow hackers to continue to attack the system without even getting noticed. Attackers are continuously looking for any loopholes in web applications any delay in detecting the data breach could be very harmful to any organization.

By implementing logging tools setting up baseline analysis and continuously monitoring could prevent any delays in detecting security breaches.

Broken Access Control

In many organizations, authenticated users have more access than they are required. For example, in the cloud computing world, having developers' administrative access to the account could provide an opportunity for attackers to damage the infrastructure or applications in case of any security breach.

I saw, once a developer uploaded AWS access keys to GitHub and in a few hours, there were 100+ instances running bitcoin mining on their account.

By applying the principle of least privilege access controls, we can prevent potential damage to the security of the IT systems.

Known Vulnerabilities

Most data breaches happen due to vulnerabilities that were left open. Frameworks, libraries, and other modules run as same privileges as the application. If the vulnerability is exploited attackers could expose sensitive data or take over the system.

By keeping systems up to date with patching and configurations, enable logging and monitoring, organizations can control vulnerabilities issues that could potentially cause a data and security breach.

Insecure Deserialization

Deserialization is a process to restore byte streams to form an original object.

Insecure deserialization is when user data is deserialized by an application. This potentially enables an attacker to manipulate serialized objects in order to pass harmful data into the application and execute remote code to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks.

XML External Entities (XEE)

And the last one from the OWASP Top 10 list, is XML External Entities. XEE is a web security vulnerability that allows an attacker to interfere with an application’s processing of XML data. Often older or poorly configured systems allow attackers to see or access internal files such as file systems or server configurations using the URI hander or other methods.

Conclusion

Hopefully, you find this post useful and are now familiar with the top common security risks, that exist in today’s world. If you have any questions feel free to contact me on my LinkedIn or Twitter.

About DataNext

DataNext Solutions is a US-based system integrator, specialized in Cloud, Security, and DevOps technologies. As a registered AWS partner, our services comprise of any Cloud Migration, Cost optimization, Integration, Security, Compliance, and Managed Services. Visit our website www.datanextsolutions.com for more info.

DataNext Solutions

Cloud | Security | DevOps | Big Data

Zeeshan Baig

Written by

Cloud Security Expert & CEO of DataNext Solutions, helping people every day with the latest tech. Connect @LinkedIn http://bit.ly/zb-linkedin

DataNext Solutions

DataNext Solutions is a US based system integrator, specialized in Cloud, Big Data, DevOps technologies. As a registered AWS partner, our services comprise any Cloud Migration, Cost optimization, Integration, Security and Managed Services.

Zeeshan Baig

Written by

Cloud Security Expert & CEO of DataNext Solutions, helping people every day with the latest tech. Connect @LinkedIn http://bit.ly/zb-linkedin

DataNext Solutions

DataNext Solutions is a US based system integrator, specialized in Cloud, Big Data, DevOps technologies. As a registered AWS partner, our services comprise any Cloud Migration, Cost optimization, Integration, Security and Managed Services.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store