The Open Web Application Security Project recently released the 2013 version of its annual top 10 most critical web application security risks list. Injection flaws remain the greatest threat facing software developers, and many other items on the list are also the same as in the organization’s 2010 report. To combat software security issues, developers are encouraged to follow secure development lifecycles and code review practices, while organizations are advised to devote more scrutiny to software vendor decisions.
The OWASP Top 10 draws on eight data sets from seven application security firms, spanning more than 500,000 vulnerabilities, the report noted. The flaw types are ranked according to prevalence, with impact and exploitability also being factored into the assessment. The organization added that ensuring application security goes far beyond its top 10 items.
The top vulnerability issues
Injection flaws – such as SQL, OS and LDAP injection – remained the most prevalent class of vulnerability. Broken authentication and session management flaws moved from third to second on the list, while cross-site scripting errors, insecure direct object references and security misconfigurations rounded out the top five, respectively.
The top three categories have all been known issues for years, but they continue to be prevalent due to ingrained security practices, inconsistent testing and an inattention to secure development approaches, experts told eWEEK. Altogether, the high occurrence of flaws such as SQL injection and XSS vulnerabilities means that the average organization with hundreds of business critical applications is likely to have many points of attack.
One interesting change in this year’s list is the addition of the ninth-ranked category, “Using Known Vulnerable Components,” one software security expert told eWEEK. The emergence of this vulnerability suggests that many application flaws are introduced through the use of unverified third-party code.
This problem with third-party code can be better addressed by developers through the use of code review processes and tools on code libraries, as well as by keeping close track of vulnerability databases on sites like CVE, the report noted. Similar approaches are valuable for addressing all of the issues.
OWASP recommended developers define and implement application security requirements and standard security controls. Additionally, organizations are advised to follow a secure development lifecycle and to make security part of the initial design considerations for an application. OWASP researchers noted that building security into applications is cheaper than retrofitting them.
Rather than chasing after vulnerabilities, organizations should look to establish application security controls and making security part of the culture among employees, the report explained. To achieve these goals, organizations can take advantage of peer code review techniques combined with automated tools.
“Use tools wisely,” the report recommended. “Security vulnerabilities can be quite complex and buried in mountains of code. In many cases, the most cost-effective approach for finding and eliminating these weaknesses is human experts armed with good tools.”
In the case of injection flaws, for instance, scanning the code for areas in which the application may have weaknesses can be one of the best approaches, the report noted. Developers should confirm that all uses of interpreters clearly separate untrusted data from the command or query.
“Checking the code is a fast and accurate way to see if the application uses interpreters safely,” the report stated. “Code analysis tools can help a security analyst find the use of interpreters and trace the data flow through the application.”
While application vulnerabilities will continue to be an issue as attackers look for new ways to compromise their targets, developers can take comfort in the fact that the most common threats are familiar and can be addressed through techniques such as secure development lifecycles, code review and the use of static analysis software. By combining the right tools and human expertise, organizations can mitigate such threats.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.