OWASP Top 10 Web Security Vulnerabilities of 2017 - Essay Sample

Introduction

The Open Web Application Security Project (OWASP) refers to a non-profit making firm committed to providing unbiased and practical information about all forms of application security (Shahriar, 2013). The company updated its top ten web security vulnerabilities in 2017 to provide practical guidance to various developers as well as security professionals on the most critical risks commonly experienced in multiple web applications but are also easy to exploit. A plethora of web security experts considers these ten application risks to be dangerous because they may allow attackers to plant malware, gain unauthorized access to data, and steal information (Imperva, 2018). This paper provides a comprehensive description of various risk mitigation approaches for OWASP top ten vulnerabilities by identifying their names, method, and tool of prevention.

Is your time best spent reading someone else’s essay? Get a 100% original essay FROM A CERTIFIED WRITER!

Save 25%

Vulnerabilities, Prevention Techniques, and Suitable Tools

Injection, which includes various flaws like SQL, LDAP and CRLF, is the first type of vulnerably identified by OWASP (Ackermann, 2013). Such risks occur when an attacker sends harmful data to a typical interpreter that executes it as a command without proper authorization. Application security testing is the best approach to detect and prevent such injections flaws. However, web developers and security experts should use parameterized queries as the best tools when coding to ensure that they prevent faults. The second type of vulnerability, broken authentication and session management, results from having incorrectly configured user as well as session authentication that, in turn, allow web-based attackers to compromise essential keys, passwords, session tokes. Such attackers can also take control of the accounts of the predetermined users before they assume their identities. The best approach to prevent this vulnerability entails the use of a multi-factor authentication process (Ackermann, 2013). This approach occurs through the use of critical tools such as FIDO alongside various dedicated applications that help in minimizing the risk of having compromised accounts.

The third vulnerability entails having exposure of sensitive data as a result of having applications that do not adequately protect such information. The best approach to prevent such vulnerabilities is by using data encryption techniques that help people and organizations to sufficiently comply with data protection rules and regulations (Imperva, 2018). AxCrypt, which is similar to the 7-Zip, is a crucial tool that can help in effective data encryption. XML external entity that occurs as a result of having inappropriately configured processors is the fourth type of vulnerability identified by OWASP. Prevention of this vulnerability entails the use of static application security (SAST) tool, which can discover risks by inspecting various flawed configurations and dependencies. The fifth risk, broken access control, occurs as a result of having flawed configured or lack of restrictions on different authenticated users which allow attackers to access unauthorized data (Shahriar, 2013). Penetration testing is the best approach for detecting various non-functional access controls, which culminate in ultimate prevention. Some of the best penetration testing tools include Metasploit, Wireshark, and the Network Mapper (NMAP).

Security misconfiguration is the sixth type of vulnerability. This typical risk results from an improper execution of controls aimed to keep data from various applications safe (Ackermann, 2013). Such data mistakes include inadequate protection of security headers, having error messages, and failing to upgrade systems. However, the use of the dynamic application security testing (DAST) approach is essential in preventing this vulnerability by detecting potential misconfigurations, including leaky APIs. Examples of DAST tools include HCL AppScan, Appknox, and Acunetix Vulnerability. The seventh vulnerability, cross-site scripting (XSS), consists of a wide range of flaws that enable attackers to inject various client-side scripts into the system and, in turn, redirect users to malicious websites (Imperva, 2018) (Shahriar, 2013). The use of security testing approaches and developer training is crucial in preventing this risk because it allows programmers to avoid cross-site scripting with critical data encodings and input validation tools like cloud-based service and the IBM Rational AppScan.

The eighth vulnerability, insecure deserialization consists of flaws that enable attackers to execute codes in the application from a remote area which leads to deletion of serialized objects (Imperva, 2018). Conducting frequent penetration testing is the best approach to preventing such risks with the use of tools like SAST and DAST. The use of components with known vulnerabilities is the ninth risk. Such features are difficult to update and often result in multiple system flaws. Hence, it is critical to use software composition analysis as the best prevention approach. The SAST and DAST tools are crucial in preventing such vulnerabilities. Lastly, insufficient logging and monitoring is a critical vulnerability that allows hackers to have unauthorized access to systems and misuse data (Shahriar, 2013). Frequent logging and monitoring the system through penetration testing tools like Metasploit, Wireshark, and NMAP can offer ultimate solutions.

Conclusion

Having web-based security is crucial to the success of an organization. Contemporary organizations suffer from exposure to a wide range of vulnerabilities that may have far-reaching effects on their operational sustainability. However, web developers can use a wide range of strategies and tools to prevent various vulnerabilities that may lead to unauthorized access, as discussed in this paper.

References

Ackermann, T. (2013). IT security risk management: Perceived IT security risks in the context of cloud computing. Wiesbaden: Springer Gabler.

Imperva (2018 January). Protect your applications against all OWASP top 10 risks. Imperva. https://www.imperva.com/docs/IM_eBook_Ten_OWASP_Threats.pdf.

Shahriar, H. (2013). Security vulnerabilities and mitigation techniques of web applications. ResearchGate, 1(2), 11-20. https://www.researchgate.net/publication/266654806_Security_vulnerabilities_and_mitigation_techniques_of_web_applications.