Getting started with application security: Scott Treacy

Print Friendly, PDF & Email

Securing web applications can be daunting. Even if you’re experienced with network security you need to learn a new set of skills, and a new language.

But there is a comprehensive, and free, set of resources online to help people and organisations get started.

The Open Web Application Security Project (OWASP) is a non-profit foundation for improving the security of software from the design stage through to deployment. It offers resources for general software security but also a host of excellent material for securing web applications.

The owasp.org website provides clear descriptions of the main techniques used to attack applications along with explanations of the main vulnerability types. For each vulnerability and attack type there is a clear, detailed article outlining risk factors, examples, ways to test and protect yourself and links to other relevant resources. It works as a great jargon buster but also provides enough detail to start building defences against the most common attacks.

There is also a separate section on controls – the various categories of security counter-measures you can take to protect your organisation.

The top web app security risks you need to know about

But OWASP’s most famous resource is its Top 10 Web Application Security Risks report.

This list provides a great high-level view of current application security threats. It does not cover every possible threat but is a solid foundation for any defence strategy. It can also be used as a rough-and-ready baseline when tendering projects to make sure your supplier is taking the right steps.

But the list is more than just the 10 most common threats or attacks. Eight of the spots on the list are the most often reported and identified application vulnerabilities. But uniquely, the other two slots are reserved for issues that the community believes may become a problem in the near future but are not reflected in historical data collected. So it provides a view of what is happening now as well as a prediction for what the future holds.

If you understand the risks of the OWASP top 10 and have targeted defences in place, you have the right foundations in place to defend your web applications. And of course, Barracuda can help your organisation build on this foundation to provide defensive depth with our Web Application Firewalls (WAFs) and out WAF-as-a-Service.

The number one spot on the current list is injection flaws, a common attack exploiting legacy code, which allows an attacker to use unverified data fields to push commands into your databases.

Second place are problems with authentication that allow attackers to compromise passwords or session tokens, allowing them to either compromise the identity of a user or take advantage of a genuine user session that wasn’t closed after use.

Barracuda can help your organisation build on this foundation to provide defensive depth with our Web Application Firewalls and out WAF-as-a-Service.Click To Tweet

Practical help and tools for securing and testing web and mobile apps

OWASP also offers tutorials, how-to-guides and step-by-step advice for securing and testing mobile applications and web applications. It provides several open-source tools such as a set of generic attack-detection rules to use with open-source firewalls that provide basic web application security. And it has tools that can help you dig down into the components of your existing applications to probe for known vulnerabilities or out-of-date code to identify known vulnerabilities in your software.

The OWASP top 10 list is about to be refreshed – the organisation just sent out the questionnaires for members to suggest the two wild cards to be included. This is a key feature of web application security – the threat landscape changes far more rapidly than with network or hardware security.

The OWASP top 10 provides a great way to keep on top of current threats, but web application security really does change on a daily basis.

How Barracuda can help

Of course, you could choose to take the worry out of staying up to date. Barracuda offers a complementary Vulnerability Manager that can check your website for hundreds of vulnerabilities, including those on the OWASP top 10. That report can be linked to Barracuda’s Web Application Firewall, and WAF-as-a-Service which can then automatically mitigate unpatched vulnerabilities using the Vulnerability Remediation Service.

Scroll to top
Tweet
Share
Share