The top 10 web security pitfalls to avoid
When creating, maintaining or operating an information technology system, it's always useful to know what sort of pitfalls you need to watch out for.
Some might be just bumps in the road, others could be better described as a sheer cliff face.
This is particularly true when it comes to security as most people working on such projects aren't security professionals themselves. This makes it more difficult for them to anticipate where problems might be lurking.
One handy resource for dealing with this is the Top 10 list of root causes created and maintained by OWASP (Open Web Application Security Project). This list is compiled based on data from across the industry and attempts to identify which types of security issues are proving to be the most problematic.
Because compiling and producing such a list is very time-intensive, it doesn't get updated too often with the last update being in 2017.
On the 15th of this month, however, OWASP released a preview of the 2021 Top 10 list, and it makes for some interesting reading. The diagram below taken from the OWASP website shows the changes graphically.
I won't bore you by going through this one by one and only touch on some of the highlights. If you're interested, you can check out the list itself.
The top risk in 2021 is Broken Access Control. This can manifest in a number of ways but is often seen where applications use the cloud for file or database storage as these tend to end up quite complex. Broken Access Control can allow for data to be copied out or potentially unauthorised use of the system itself. Forgetting to set any username or password at all also falls under this category, and that too has been on the rise in recent years.
Cryptographic failures occur when something goes wrong with encryption and (more often than not) results in sensitive data leaking. Although adding TLS to a website is pretty much point and click today, when it comes to doing something more custom in nature with cryptography, the potential for catastrophic failure is never far away. Generally, when implementing such systems using tooling such as GPG (an encryption technique) or existing toolchains, there's not too much that can go wrong assuming the system is well tested. The real issues tend to crop up when we try to build our own. For almost everyone, that is a really really bad idea.
If you want to stay out of this category, make sure you're only using off the shelf tools.
Insecure design is getting more attention now as we try to catch problems earlier in the development process (commonly referred to as "shifting left"). Generally, the faster you catch an issue, the cheaper it is to fix it. That means that ideally, you'd want to pick up problems before you've even started work on constructing it. That means threat modelling is due a resurgence and whilst that is no bad thing, it can be disruptive. It's not uncommon to try to do perfect threat modelling and then run out of time to actually build the thing. Use what makes sense, but don't try to make everything fit.
Keeping things up to date is also critical, and I don't just mean making sure patches are applied. Software should be revisited often, cultivated and improved. This helps to make sure that when something urgent comes along, you don't find that in order to fix that bug, you also need to do a thousand other things at the same time too. This is never fun at 4 am in a freezing data centre. Trust me...
Lastly, I want to touch on logging and monitoring failures. Like backups, monitoring and logs are never given the love and attention they need, until it's far too late. These essentials are all too easy to overlook but can be devastating if they aren't working when you need them. Check your logs regularly such as daily "everything's fine" updates as well as the hopefully rare "everything failed". With monitoring, come to love and depend on it. If it's not in monitoring, it does not exist. Once you've got your platform fully covered, you'll be able to rest safe in the knowledge that any hiccup will be brought to your attention immediately.
The new OWASP categories aren't too surprising and reflect the greater complexity and dependence on cloud technology. The list is well worth checking out in full, but it should be noted that this is just a basic list to get you started. There are other resources (including the AppSec program by OWASP) if you want to do real assurance.
Peter Membrey is Chief Architect at ExpressVPN, based in Hong Kong. He is responsible for driving engineering excellence within ExpressVPN and has co-authored over a dozen books and a number of research papers on information security issues. He is a member of IT Professionals NZ.
You must be logged in in order to post comments. Log In