10 Common Web Application Security Mistakes
December 4, 2018
From the biggest data breaches and cyber-attacks of the past decade, it is quite clear that marginal and careless mistakes and lapses in web application security have turned out to be dangerous. Even big players have faced heavy losses, not just monetarily but in terms of customers, trust, brand image, and goodwill as a result of the attacks.
We have compiled the list of 10 most dangerous website security mistakes that you must avoid.
1. Invalid inputs
By not validating what content and inputs get uploaded, the website is left vulnerable to injection attacks like cross-site scripting (XSS), SQL injection, command injection, and other such security attacks. Input uploads must be validated from both the server and browser ends. Often, organizations validate inputs only from the browser end because it is easy and fail to validate server end inputs which leads to malicious/malformed data/scripts to run on the website and its databases.
2. Irregular or no website security scans
The importance of regular website security scanning cannot be stressed enough. It is only through regular scanning that we can find vulnerabilities and gaps that exist, and accordingly, fix them. Organizations often make the cardinal error of not scanning their websites every day and after major changes to the business policies, systems, etc.
3. Authentication and permissions
- Weak root passwords from the admin or server end like admin, 1234, or other commonly used words. These can be easily cracked using password-cracking programs and if the password is cracked, the website will be compromised.
- Not enforcing a strong password policy and multi-factor authentication for the website users. When the website allows its users to continue with default passwords, allows weak passwords without password expiry, and relies uni-dimensionally on passwords for security, the organization is making itself vulnerable to breaches and attacks.
- Giving administrator permissions and privileges mindlessly to end-users and external entities make the website vulnerable.
- Changing folder and file permission structures based on poor advice from the internet to fix permission errors but opening the website up for anyone to change its structure, modify codes, and run malicious programs.
4. Unconsolidated security measures
It often happens that organizations and web developers are not thinking of website security in a holistic manner and therefore, adopting unconsolidated security measures. For instance, they may employ a web security scanner but not a Web Application Firewall (WAF). So, the vulnerabilities and gaps are effectively identified by the scanner, but the website is left in the vulnerable condition till the vulnerabilities are fixed (which takes over 100 days even for critical vulnerabilities) or the developers are focusing on patching the website instead of fixing the vulnerabilities.
5. Homegrown security methods and algorithms
Based on the flawed assumption that homegrown/self-developed algorithms and methods are better and that they are safer as attackers are unfamiliar, developers employ these homegrown and ‘authentic’ security measures. This just increases the probability of vulnerabilities and gaps that can be easily detected by attackers and the bots they employ. It is always better to use well-tested methods and algorithms.
6. Outdated software, Components with known vulnerabilities & unnecessary/unwanted components
Updates contain critical patches and by not updating the software regularly, we are just sending out invitations to attackers (who continuously snoop around for loopholes and security lapses) to orchestrate breaches. Old and wanted files, applications, databases, etc. not being cleaned out from the website create portals for attackers.
Developers using components that are known to have vulnerabilities such as unpatched third-party software, outdated plug-ins, open-source components, uninspected and copy-pasted codes, etc. too make the website insecure, weak and susceptible to attacks.
7. Not tested on a regular basis
While website scanning needs to be done every day and after major changes, it is not sufficient. It is essential to test every bit of code, software, updates, and a component that goes on the website. Also, quarterly penetration testing and security audits by certified security experts is a must. This will ensure that your website is secure and that your users are well-protected.
8. Unencrypted sensitive data
One of the most dangerous mistakes committed by organizations is not encrypting sensitive data such as personal information, credit card, and baking details, passwords, etc. at all times (transit, rest and storage) By not encrypting all the sensitive data and having it plain text format, we are simply increasing the risk of exposure.
9. Missing function level access control
When sensitive request handlers have insufficient or non-existent authentication check, the vulnerability that results is known as a missing function level access control. Example- an unauthorized entity can access a URL that contains sensitive information or hidden functionality, etc. because there is no authentication check put in place. The impact of this vulnerability varies from access to unimportant information to complete website takeover by attackers.
10. Lax attitude towards website security
This is the most dangerous of all website security mistakes. The top management must have a proactive attitude towards website security, investing wisely for the right purposes, developing a sound cybersecurity strategy, and honing a culture of proactivity and preparedness within the organization as well. Silos must be broken, and critical information must be seamlessly shared across departments.
Employing an intelligent, comprehensive, and managed website security solution like AppTrana is a definite way forward. AppTrana takes a 360-degree view of web application security and provides round-the-clock, end-to-end website security with zero assured false positives through everyday scanning of the website, blocking malicious/bad requests by patching the application-layer vulnerabilities until fixed, continuously monitoring for DDoS attacks, analyzing attack patterns and so on. It combines the power of technology and automation with the irreplaceable human expertise of certified security professionals to secure your website while you concentrate on your core business activities.
Stay tuned for more relevant and interesting security updates. Follow Indusface on Facebook, Twitter, and LinkedIn
