On one of the articles, I talked about Web Application Security and using OWASP measurement as one of the protective measures to the threats. For this article, I will write about OWASP Top 10 Vulnerabilities.
Frame and definition for OWASP
What does the acronym OWASP stand for? It is Open Web Application Security Project. It is actually a non-profit company whose goal is to make better security for web applications.
The OWASP Top 10
By 2025: First half, OWASP will be releasing new top 10 lists. The ones that I will be writing on is the 2021 list which is still available for now.
1. Broken Access Control: This is where users that are not known gain access to delete or modify data.
Solution: You should use the least exclusive policies, RBAC, and always try out for control flaw.
2. Cryptographic Failure: this is where people are not yet given access, gain access to information due to the poor use of cryptography.
Solution: Always use strong encryption standard and enable secure HTTPS to transfer data.
3. Injection: this is where a person will inject SQL injection or command injection.
Solution: You are to use argumentative interrogation, formalize all user inputs, and use the least exclusive rule to database.
4. Insecure Design: This is where the app lacks security control exposing the app to hackers.
Solution: Get a threat tool and security review and constantly refresh security patterns.
5. Security Misconfiguration: Misconfiguration causes clash in the app.
Solution: use automatic configuration checking, and application of security patches and updates.
6. Vulnerable and Outdated Tools: Using the tools that are not update causes problem.
Solution: Constantly update the third party libraries, always monitor and do not use unsupported software.
7. Identification and Authentication Failures: This can lead to identity theft.
Solution: Do use strong password authentication, and enforce MFA.
8. Software and Data Integrity Failures: This is where application codes are exposed to unknown changes.
Solution: You should use legitimate packages and verify them. Also apply strict Content Security Policy.
9. Security Logging and Monitoring Failure: When the system does not monitor security event properly, it gives room to attackers to evade.
Solution: Centralize logging and monitoring solutions and the logs must be kept in a well secured place, and it must be regularly reviewed.
10. Server-Side Request Forgery (SSRF): These allow unknown people to make unknown request.
Conclusion
Solution: You should validate user inputs, restrict outbound requests to allowed destinations and lastly, use firewalls to restrict access