As a security professional, one must s on the following while considering security for applications:
- Asset: An asset is basically a resource. It may be a computer, operating system, database management system and so on.
- Threat: This is an event that could compromise an asset by exploiting the weaknesses or vulnerabilities in the asset.
- Threat agent: A threat cannot manifest on its own. It needs an agent to exploit vulnerabilities. For example, hacking is a threat. Not having suitable patch management control or monitoring control is a vulnerability. Hacking is done by a hacker. Hence, a malicious hacker is a threat agent for unethical hacking.
- Vulnerability: This is a weakness in the system that a threat agent could exploit. Inappropriate change controls or insufficient security testing in a software development process is an example of weak development processes. Such weaknesses could introduce vulnerabilities in the software.
- Attack: This is a technique used by a threat agent to exploit vulnerabilities. For example, a malicious hacker would inject a malformed data to a web application to exploit a weakness for gaining access.
- Countermeasures: These are preventative, corrective, or reactive steps to address vulnerability or an attack.
Web applications are becoming popular and used more and more by the government, universities, and business organizations. The convenience of delivering services such as banking, e-commerce, e-governance, and education from a centralized location to the users around the world is taking this technology to dizzying heights. However, the World Wide Web (WWW) or the Internet is an open network that can be accessed by anyone using a connected computer. Due to its open nature, web applications are prone to innumerable security threats and vulnerabilities.
Open Web Application Security Project (OWASP) is a volunteer-based project that lists the following vulnerabilities that are common to web applications.
OWASP groups and classifies viruses, worms, Trojan horses, and logic bombs as non-target specific threat agents:
- Access control vulnerability: Vulnerabilities in access control mechanisms or code include authentication and authorization related errors. Some of the common issues include the following:
- Password management errors including empty passwords, hard coded passwords, or password aging
- Authentication bypasses
- Unsafe mobile codes
- Code permission vulnerability: This type of vulnerability is due to improper permission setup for the code to run. The exploitation of such a vulnerability would give higher privilege access to programs.
- Code quality vulnerability: The quality of code is based on various parameters. Vulnerabilities such as leftover debug code, memory leak, undefined behavior, undefined initialization, and so on will affect the quality of code from a security perspective.
- Cryptographic vulnerability: Vulnerabilities that arise due to algorithm issues are categorized under this category. Some of the vulnerabilities pertaining to cryptography include insecure or incorrect algorithms, inappropriate use of algorithms, implementation errors, and key management problems.
- Environmental vulnerability: Vulnerabilities related to environment configuration such as improper setup or insecure default settings will fall under this category.
- Error-handling vulnerability: Information leakage, improper handling of error conditions, null pointer exceptions, and so on will fall under error-handling vulnerability.
- General logic error vulnerability: This includes logical errors due to branching or process priority.
- Input validation vulnerability: Here, the sanitization of data provided during the input is insufficient. For example, a form element expecting an input of a number may be provided with a code as input. If such a code is not validated at the input stage, then it may be executed internally in the application, thereby creating a security violation.
- Logging and auditing vulnerability: This includes weak monitoring mechanisms.
- Password management vulnerability: This includes insufficient password rules and password strength.
- Path vulnerability: This includes multiple paths to the target resource with some of them being insecure.
- Protocol error: This signifies weaknesses related to communication protocols.
- Range and type error vulnerability: This vulnerability is related to upper and lower bound memory errors.
- Sensitive data protection vulnerability: This vulnerability is related to weak encryption and/or sensitive data in publicly accessible locations.
- Session management vulnerability: This vulnerability is related to weaknesses in preserving session data.
- Synchronization and timing vulnerability: This vulnerability is related to race conditions that allow an insecure process to be executed before a security control implementation.
- Unsafe mobile codes: These are the codes executed at the client side that have weaknesses which may allow unauthorized access.
- Use of dangerous API: This includes weaknesses in Application Programming Interfaces.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.