By Amit Ashbel
National Cybersecurity month has come and gone in a flurry of analyzing security practices and determining which areas need more attention. But instead of waiting another year to revisit the topic, companies should carve out time regularly to ensure they’re keeping security top of mind and avoiding falling victim to vulnerabilities.
The hard part is knowing what to look for and where to look. Security weaknesses in applications that expose sensitive data on the internet is a vector all companies should focus on. Here are the five most prevalent application vulnerabilities under continual probing.
Sensitive Data Exposure: I can bet you don’t want information such as banking details, Social Security numbers, tax IDs and passwords to be up for grabs in the hacker world, right? Unfortunately, when security controls like SSL and HTTPS aren’t properly implemented, data can be leaked or stolen through a sensitive data exposure vulnerability. Ensuring that employees and customers can trust that their data is safe needs to be a priority.
SQL Injection Attacks: The name alone is intimidating, but what does it mean? This form of attack is a result of malicious or untrusted data that’s sent to any form of code interpreter that, in turn, will run as a command or query on a database by fooling the interpreter to hand over the data or execute unwanted commands. According to IT World, 97 percent of data breaches worldwide are due to a SQL injection flaw.
Cross Site Request Forgery Attacks (CSRF): Imposter! That’s essentially what’s going on when a CSRF attack occurs. Hackers can forge an HTTP request from the victim and lay claim to data such as authentication information and/or cookies, and then generate legitimate requests to trick their victims.
Cross-Site Scripting (XSS) Attacks: This form of attack attempts to trick a browser into accepting data that isn’t from a trusted source. If successful, XSS allows the attacker to take over a user session, cause damage to a website, or force the user to visit another site. What’s worse? There actually are three types of XXS attacks referred to as Stored XSS, DOM Based XSS and Reflected XSS.
Using Components with Known Vulnerabilities: This seems like an obvious one, but unfortunately some companies will use components they know have vulnerabilities. The best advice is to stop doing that right now. Components, especially libraries and frameworks derived from the open source community, should never be used when there are known vulnerabilities in the code. It allows hackers to come in and leverage attacks such as SQL injection and XSS.
These vulnerabilities are just some of many that can hurt a company, so ensure safer practices year-round and proactively identify potential blind spots. Maintain an ongoing checklist and incorporate education with developers to streamline the security process. It’s better to be safe rather than sorry.
Amit Ashbel, cyber security evangelist for Checkmarx, wrote this guest essay for ThirdCertainty.com.