What is OWASP Top 10 and Why is it Necessary?
The Open Web Application Security Project (OWASP), is a non-profit organization, dedicated to enable digital businesses track and develop trustworthy security measures and applications. The organization periodically releases an awareness document for web application security known as The OWASP Top 10. The document states the 10 most critical security threats that could affect web applications. OWASP believes in securing the digital economies and does this by making the security testing materials freely accessible across the internet. The materials include videos, tools, forums and other necessary documents.
The Latest in OWASP Top 10
The Top 10 is a regularly-updated report which clearly outlines the security concerns for web applications. The latest list of the top 10 is as follows:
Injection – Whenever there is a possibility, for the uninvited hacker, to transfer hostile data packets to the interpreter – It’s an injection flaw.
Broken Authentication – In case of broken authentication, the attacker gets unauthorized access to credentials, administrative account lists and more, due to the availability of thousands of username/password combos.
Sensitive Data Exposure – These are typically indirect manual attacks. In this method, the text data en-route to the client is stolen midway.
XML External Entities (XXE) – Due to this shortcoming the attackers gain access to web pages or services that process XML. Effective pen-testing skills with manual steps are required to exploit this loophole whenever found.
Broken Access Control – This can be detected using manual ways of detection or through automation. The need is to find the absence of access controls in different frameworks.
Security Misconfiguration – This loophole can lead to provide unauthorized access to attackers. This may involve access to unprotected files, pages or unpatched flaws of the system.
Cross-Site Scripting (XSS) – One of the most prevalent issues in the top 10 list is XSS. All the 3 forms of XSS – Reflected, Stored & DOM can be exploited with automated tools.
Insecure Deserialization – Included based on industry survey, this flaw requires frequent human assistance to validate.
Using Components with Known Vulnerabilities – Possible to detect with scanners such as retire.js and header inspection. However, in order to verify its exploitability, it requires an attack with a dedicated effort for custom exploit.
Insufficient Logging & Monitoring – Lack of monitoring lures the attackers to achieve their goals within the stipulated time.
Is Adhering to The OWASP Top 10 Sufficient in a Security Testing Effort?
The answer to the question could have been a ‘Yes’ if the items on the ‘Top 10’ list changed at regular intervals. Seasoned security experts are well aware of the commonly occurring vulnerabilities such as the XSS, SQL Injection or exposure of sensitive data. However, the stagnancy of data in the ‘Top 10’ list makes it an insufficient one for security testing. While the list is updated, just the top 10 alone do not make the cut to make this effort full proof.
The original intent of the ‘Top 10 list’ was to serve as a set of guiding principles, made for developers to follow but is now misinterpreted as an instrument of fear, uncertainty and doubt (FUD) for security testing. Robust security testing emphasizes on training developers on how to develop an app in a secured environment and combine knowledge & technology to make the app secure.
The list may serve as an excellent common ground to share and discuss security related coding and testing practices but on the contrary, neglects critical vulnerabilities other than the ‘Top 10’. Out of the current list mentioned above #1, #2, #3, #5, #6, #7, #9 are carried forwards from the ‘Top 10’ list of 2013. We are not undermining them being carried forward but the important aspect is that with evolving technologies, devices on which apps are used and the concerted efforts by hackers, this list alone is not sufficient.
With the evolution of technology, the digital ecosystem has taken an overall shift. This has given rise to an entirely new generation of testing suites, such as agile methodologies which are advanced testing methods. Despite the presence of such tools, developers use conventional security testing methods, while adhering to the ‘Top 10’ list, and give the attackers a chance to dig in.
To further extend this discussion around security testing, let’s look at the popular areas of Security Testing.
Popular Security Testing Methods & Areas
This is an unknown app vulnerability that can be used to cripple the hardware, data, network or at the most, an entire system. The name ‘zero-day’ signifies that the security testers have no time or zero days to fix this issue as it may have already malfunctioned the system. This is one of the favourite vulnerabilities of the illegal hackers’ community as it enables them to trigger an attack on the very same day, as the system is already exposed and there are no fixes.
The attacks may lead to trojans, polymorphic worms and different types of malware. These attacks cannot be prevented however, in order to tackle them on an immediate basis the developers need to stay updated with knowledge of fresh bugs.
Also, mock practices are a salient way to keep the response team in an ‘active mode’, so that they are ready to act as soon as the threat announces itself.
Investing in newer technologies and training the response teams with the latest in the industry could greatly limit the impact of these vulnerabilities.
HIPAA Compliance Penetration Testing
We have already talked about how HIPAA Compliance must be strictly adhered to, for ensuring enhanced security in the healthcare industry. For overall protection vulnerability scanning is simply not sufficient, this is where HIPAA penetration testing (also known as pen-testing) comes into the picture. This is a highly effective manual testing method that attempts to exploit the healthcare vulnerabilities and tries gaining access to ensure data security.
The security team must be well aware of the general threats and past analytics about any known threats. In order to execute a successful HIPAA pen-testing session the developers must be well versed with:
Internal & external testing ( attack perspective from inside as well as outside the system)
Black hat attacks (SQL injection, remote access attacks)
Knowledge of front-end technologies
Networking protocols & technologies
Application language & API’s
With effective HIPAA penetration testing, the security team must be able to identify potential threats and vulnerabilities. They must also be able to outline any projection of possible future threat occurrences, the impact and the necessary security measures that can be adhered to.
PCI DSS Penetration Testing
Payment Card Industry Data Security Standard (PCI DSS) security compliance is for organizations that handle credit cards as payment modes via online gateways. The standard was introduced to protect the owner’s data and reduce the security vulnerabilities around the credit cards.
PCI DSS security testers must be highly trained and updated with the latest technologies so that they can detect the potential PCI Data Security loopholes, present in the environment. The pen-testing techniques should be planned in such a way that it not only identifies the vulnerabilities but also detects the possibilities in which they can be exploited. This method can help the security testers to effectively pinpoint the areas that need damage control. The testers must be able to:
Protect the Credit Card holder’s data
Build, monitor, test and maintain a Secure Network
Introduce stringent access control measures
Maintain an information security policy
Organize a vulnerability management program
It is necessary to understand that a loophole in the app can have the capability to replicate itself and give birth to similar vulnerabilities in different architectural layers. It thus becomes important for the security testers to carefully scan the system for any flaw in the security system while preparing solutions. A comprehensive risk analysis is an effective way to ensure enhanced security.
The OWASP Top 10 list of vulnerabilities serves as a basic yet critical checklist for security developers, which however has its own limitations. A security testing engineer must understand that any possible vulnerability in a product has the capacity to undermine time, energy, financial, healthcare and all other critical infrastructures. The legal repercussions can also be very severe. Hence while a list such as OWASP Top 10 are used as a base, they cannot be solely relied upon in a comprehensive security testing effort. Testing needs to happen at application, network, API, database, physical premises levels to ensure all vulnerabilities have been accounted for.
With the increasing complexity of the modern day applications, the responsibility of a security engineering team increases accordingly, which thus demands continuous knowledge base upgrades. With the rapid development processes, the risks are even more critical and demand immediate solutions.
The current generation of security engineers cannot solely rely on one single list; instead should start leveraging their organization’s capacity to curate and strategize more accurate and advanced security strategies. Remember, bugs come in all shapes and sizes!