Critical AppSec Risks

Every business is under the threat of a data breach. Identity Theft Resource Centre (ITRC) has published a report which shows 17% increase in data breaches as of September 2021. Every sector has its own set of threats. As per records, the manufacturing & utility sector had 48 million victims in 2021, which was the highest. Another study showed that nearly 100 million Android users’ data were leaked due to several misconfigurations.

This shows that application security has become a significant problem for businesses. This article provides you with the Top 10 most critical application security risks you need to concentrate on to avoid data breaches. 

1.    Broken Access Control

Recent research revealed that, in 2021, nearly 94% of the applications were vulnerable to Broken Access Control. Access Control is enforced in every organization to prevent unauthorized access to sensitive information. However, when the policies are misconfigured, it might lead to many security issues. The most common access control vulnerabilities are

• Privilege Escalation

• Parameter Tampering

• Insecure Direct Object Reference (IDOR)

• CORS Misconfiguration

Tips to Prevent Broken Access Control

• Minimize Cross-Origin Resource Sharing

• Make sure the backup files from the root directory are deleted

• Disable Web Server Directory Listing

• Rate Limit API requests

• Enforce Stateful Session

2.    Cryptographic Failures  

Cryptography has been in practice ever since cyber threats have emerged. However, still insecure data encryption exposes sensitive data like health records, personal information, credit card numbers, and other business secrets. Encryption and Decryption are based on the cryptographic keys used. If the keys are weak and vulnerable, data loss is inevitable. It is necessary to check whether the same key is used twice, weak keys are generated, or any keys are reused. 

For example, when an application does not use proper database encryption and decryption, a security breach might leak the entire database.

Tips to Prevent Cryptographic Failures

• Never store sensitive data unless it’s necessary

• Ensure to encrypt all sensitive data

• Disable the cache of sensitive data

• Enforce mandatory usage of authenticated encryption

• Enable cryptographic randomness

3.     Injection 

Injection vulnerabilities are one the most common ways which lead to serious data breaches. As of 2019, SQL injection attacks were the highest among all the critical vulnerabilities. Nearly 94% of the applications were tested for injection-based vulnerabilities in which nearly 19% of the applications were found to be vulnerable.

An injection vulnerability refers to the injection of unvalidated input into the server, which will execute malicious commands. Some of the common types of Injection vulnerabilities are

• SQL injection

• Command Injection

• CRLF injection

• LDAP injections

Tips to Prevent Injection attack

• Use safe APIs

• Sanitize user-supplied inputs

• Use LIMIT controls in SQL

• Use Character-escaping functions

• Use best-in-class WAF  

• Use IDS and Positive Server-side validation

4.     Insecure Design

As of 2021, architectural and design flaws have become a major problem for businesses. Lack of business risk profiling is the main factor for insecure design. Insecure design and insecure implementation are two different things but are directly proportional. A secure design constantly evaluates all the codes and threats and protects from attack methods.

Tips to Prevent Insecure Design

• Regular plausibility checks

• Make a Secure Software Development Lifecycle

• Document every test-case

• Note down all the misuse cases on every stage of the application

5.     Security Misconfiguration

Human errors are the most prevalent form of error when it comes to cyber security. Nearly 90% of the servers were tested for security misconfiguration. A range of 280,000 servers was vulnerable due to poor security configuration. Significant human errors include:

  • Having default settings
    • No limitation on accessing cloud storage
    • HTTP header misconfiguration
    • Error messages that led to sensitive data exposure

Tips to Prevent Security Misconfiguration

• Regularly monitor cloud resources, applications, and servers

• Use segmented application architecture

• Remove unused features and services

6.     Vulnerable and Outdated Components

Businesses often depend on open-source libraries and frameworks for their application. Hence, any vulnerability in an open-source library creates a great security impact. Most of the data breaches reported were due to vulnerable and outdated components. This security issue arises due to:

• Lack of knowledge in the components versions used

• Out of date or vulnerable software in the application server

• Not testing the capabilities of patched or upgraded libraries

• Not using secure components

Tips to Prevent Vulnerable & Outdated Components

• Remove unnecessary features or files

• Be up to date on the latest security vulnerabilities

• Regularly scan all the vulnerable components

• Frequently patch application vulnerabilities

7.    Identification and Authentication Failures

Authentication of a specific user is crucial for any application. Many cyberattacks attacks happen due to poor identification and authentication. Authentication related issues arise when an application:

• Allows automated tasks like credential surfing

• Doesn’t restrict automated tasks

• Allow weak passwords

• Has weakly hashed data stores

• Shows Session Token in the URL

• Doesn’t enforce MFA

Tips to Prevent Authentication Failures

• Enforce MFA and make it mandatory

• Create Strong Password Policies

• Enable time-limited sessions

• Disable Session IDs in URL

8. Software and Integrity Failures

Software and integrity failure arises when the code and infrastructure fail to prevent integrity violations. For example, an integrity failure may arise when an application is built upon plugins, modules, or libraries from a source that is not genuine. Many applications are automatically updated without sufficient integrity verification. Cybercriminals can exploit these updates by uploading malicious payloads.

Tips to Prevent Software & Integrity Failures

• Ensure a review procedure for code and configuration modifications

• Host an internal approved repository

• Segregate and configure your CI/CD pipeline securely

• Restrict unencrypted or unsigned data from untrustworthy clients

 9. Insufficient Logging and Monitoring

Proper logging and monitoring is the most important factor to consider when securing an application. Many of the data breaches were due to insufficient monitoring of traffic. Without monitoring, breaches are hard to detect. Some of the common issues that can be detected through logging and monitoring involve:

• Events of multiple login attempts

• Unclear log messages

• Locally stored logs

• Real-time attacks that are not alerted

Tips to Prevent Insufficient Logging & Monitoring

• Server-side inputs, access control, logins attempts must be logged

• High-value transactions must be monitored

• Use open-source application protection frameworks 

• Effective monitoring and quick response over suspicious activities

10. Server-Side Request Forgery (SSRF)

 Requesting an unauthorized resource by redirecting a request from a trusted application is called Server-Side Request Forgery (SSRF). Attackers use crafted requests to attack the application. Since cloud services are rising, fetching a remote resource through a request from an application has become inevitable. Hence, SSRF is also increasing.

Tips to Prevent Server-Side Request Forgery 

• Enforce positive allow list

• Prevent raw response from clients

• HTTP redirections must be disabled

• Use network encryption for independent systems

Application security attacks are becoming more common because they are easier to carry out and can be very profitable for attackers. Businesses need to invest in better security technologies and procedures to keep their data and systems safe.

Indusface provides the best service for web application security, firewalls, SSL certificate, and many other services that can help to keep your business safe. It provides an affordable risk-based approach to application security, fully managed web application scanning, and firewall with no false positives.

Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.