Application Security Threats: The OWASP Top 10

There are countless security threats that affect software applications.

However, the Open Web Application Security Project (OWASP) Top 10 list compiles the application threats that are most prevalent and severe, and most likely to affect applications in production.

AppSec initiatives must focus at least on these high profile threats to modern applications:

1. Injection—code injection involves a query or command sent to a software application, which contains malicious or untrusted data. The most common is SQL injection, but it can also affect NoSQL, operating systems, and LDAP servers.
2. Broken Authentication—many applications have inadequate or malfunctioning authentication and authorization functions. This can allow an attacker to steal user credentials, or easily gain access without appropriate credentials.
3. Sensitive Data Exposure—applications and APIs may openly expose sensitive data belonging to the organization or its customers, including financial or payment details and personally identifiable information (PII).
4. XML External Entities (XXE)—attackers can make malicious use of external entity references in XML documents, due to vulnerabilities in old XML parsers. These can be used to gain access to internal files, scan ports, and execute code remotely.
5. Broken Access Control—restrictions for authenticated users are not implemented correctly. An attacker could use this to gain access to unauthorized functions or data, access another user’s account, view sensitive files, or change permissions for other users.
6. Security Misconfiguration—even if an application has security features, they can be misconfigured. This commonly occurs because no-one changed the application’s default configuration. This includes failure to patch operating systems and frameworks.
7. Cross-Site Scripting (XSS)—allows an attacker to run a malicious script in a user’s browser. This can be used to steal their session, redirect users to malicious sites, or perform defacement of websites.
8. Insecure Deserialization—faults in the way code is taken from a file and constructed into an object. This can enable malicious code execution, privilege escalation, and replaying activity by authorized users.
9. Using Components with Known Vulnerabilities—multiple vulnerability databases report known vulnerabilities in software components. Software that uses a vulnerable component (even just as a dependency of one of its components) is exposed to attack.
10. Insufficient Logging & Monitoring—many applications may not have means of identifying or recording attempted breaches. This can mean that breaches go undetected, and attackers may perform lateral movement to compromise additional systems.

//

Marshal’s Recruitment Channel provides the means for you to scale your Cyber Security Teams in the following ways.

1. SaaS “End to to End” Recruitment Application: build and manage a Talent Pool.
2. Recruitment Projects: Tap directly into the Marshal network to access applicant data for ad hoc recruitment needs, in a “pay as you go” format.
3. Executive Search: fully outsourced recruitment process, operating on a placement fee basis.

Contact Us for more details.