Software Security Testing 101
This post discusses an approach to web security testing as recommended by the Open Web Application Security Project aka OWASP Foundation.
Web security is complicated and broad, and many of the risks can be mitigated by following an approach called the OWASP top 10. This approach while not 100% full proof, nothing is it does ensure that your application is protected from the most popular and obvious vulnerabilities. Basically, it's a list of vulnerabilities with the most prevalent on top. This list gets updated regularly so as to keep up with the ever-changing landscape as software evolves. The list below has been kept simple and is not meant to be a deep dive.
OWASP Top 10 Categories of Security Vulnerabilities 2022
- Broken Access Control - This is when users are able to carry out activities they should not have permission to perform.
- Cryptographic Failures - Occurs when data such as passwords, credit card numbers, names and other important information is visible
- Injection - Essentially this refers to the ability of attackers to include commands in many forms such as sql, xml, os commands and many more that cause applications to behave in unintended ways exposing data or worse.
- Insecure Design - This is due to a lack of business profiling inherent in the system being developed resulting in a failure to determine what level of security is required.
- Security Misconfiguration - Covers quite a few areas including the installation of unnecessary features, default accounts still being enabled, out-of-date software and much more.
- Vulnerable and Outdated Components - This is caused by components, operating systems, libraries, databases etc being out of date or out of support. There are many systems that need to be scanned and patched on a regular basis to mitigate this risk.
- Identification and Authentication Failures - Occurs not only when applications have not been properly secured using secure passwords but also when it is possible to execute brute force attacks, weak password recovery procedures, session exposure and plain text just to name a few.
- Software and Data Integrity Failures - This is when malicious code is introduced, unauthorised access is granted and system compromise occurs because of the use of untrusted code sources, repositories and content delivery networks. Sometimes these occur unwittingly due to software automatically updating in an effort to mitigate other risks without the source being properly vetted and verified.
- Security Logging and Monitoring Failures - This category is in place to help detect, escalate and respond to active threats. There are too many instances where no one is aware that security breaches have occurred.
- Server-Side Request Forgery - With the rise of cloud services web applications fetch remote resources without validating user-supplied URLs. Applications can be coerced into sending crafted requests to unexpected destinations.
There is no such thing as a 100% secure application but you can make it as secure as possible by implementing the OWASP top 10 to secure your important information technology assets.