Web Application Security

There is no doubt that every business is integrating web applications or already done so to allow employees and customers to interact on daily basis. This can be an employee who is checking his or her emails or a customer placing an order thru a shopping cart application. The first problem is that we cannot distinguish between a normal user and a criminal one. The second problem, applications are written by humans therefore are susceptible to bugs and errors.

Most of the threats are errors while coding the application and wrong assumptions by the programmer how his application will be executed within the browser. Other threats are relay on patch management or system misconfiguration. As a reference we are using the Top 10 threats that were defined by the OWASP organization for 2010-2013:

Year 2010 Top 10

Year 2013 Top 10

RA1: Injections

A2: Cross-Site Scripting (XSS)

A3: Broken Authentication and Session Management

A4: Insecure Direct Object References

A5: Cross-Site Request Forgery

A6: Security Misconfiguration

A7: Insecure Cryptographic Storage

A8: Failure to Restrict URL Access

A9: Insufficient Transport Layer Protection

A10: Unvalidated Redirects and Forwards

A1: Injection

A2: Broken Authentication and Session Management

A3: Cross-Site Scripting (XSS)

A4: Insecure Direct Object References

A5: Security Misconfiguration

A6: Sensitive Data Exposure

A7: Missing Function Level Access Control

A8: Cross-Site Request Forgery (CSRF)

A9: Using Components with Known Vulnerabilities

A10: Unvalidated Redirects and Forwards

The Solution

2Secure has developed a solution that has three stages that can help and mitigate the threats:

  • Preform risk assessments BEFORE & AFTER web application is in production
  • Based on the results from the risk assessment, implement mitigating controls.
  • Integrate safeguards during the Software Development Life Cycle (SDLC) BEFORE the application is published on the Internet or Intranet.

(Click to Download)

(Click to Download)

Ready to start conversation about your

cybersecurity assessments needs?

Talk to us now.