OWASP TOP 10 2017 Critical Web Application Security Risks

courtesy – hack2secure

Why Do We Need To Secure Web Applications?

Companies use web applications for every factor of their business operations from the public websites to mission-serious business applications. With the increase in usability and vulnerabilities, web applications now become the target for the attackers to gain access. The followings are the reason why we need to secure web applications:

  • Easy target, directly exposed Public Interface
  • Larger Attack Surface
  • Addition of Complex Design & Features, increase chances of Attacks
  • Root Cause of above 80% of Security Attacks are directly or indirectly related to the Web

Why Web Security?

With a web application threats are becoming more frequent occurrence; several organizations are struggling to implement security on their web application programs; since they unaware what to do.

Understanding that “Security is a process, not a product” could be an ideal solution for their searches.

Web Security Testing: Current Limitations

The followings are the reasons that stands behind the failure of web security testing:

  • Organizations focus on Testing Business Functionality & Capability on Deployed Applications
  • Security Testing is the last thing to consider, usually after Functional Testing
  • Current trend shows an exponential increase in vulnerability list related to Web Applications

Introducing OWASP

Open Web Application Security Project (OWASP) is an International Non-Profit Charitable Open Source organization. Its participation is free and open to all. It is a technology agnostic and contributed selflessly to the security community. OWASP address Risk-based approach.

OWASP Top 10: Web Application Security Risk

This document includes the list of the 10 most web security risk in the web application. The errors listed occur most frequently in the web application and they’re dangerous since they’ll allow the hackers completely control the software and steal data. The primary aim of the list is to educate developers, designers, architects and organizations about consequences of most common web application security vulnerabilities.

OWASP Risk Rating Methodology

OWASP uses its Risk rating methodology, to analyse severity of these Risk, based on their impact, and prevalence.

Let us begin with, Standard risk model

OWASP has proposed the systematic, Risk Rating Methodology, assisting organizations to effectively analyse and manage the corresponding Web Security Risk.

Steps Involved

Steps Involved in security chekup owasp 2017

Step#1: Identify A Risk

Identify Security Risk that needs to be rated. It gathers information about the following aspects:

  • Involved Threat Agents
  • Attack used
  • Vulnerability involved
  • Business Impact

Step#2: Factors For Estimating Likelihood

The main goal is to estimate the likelihood of a successful attack.

  • Threat agent: Estimate the likelihood of a successful attack by the group of threat agents
  • Vulnerability agent: Estimate the likelihood of the certain vulnerability involved being revealed & exploited.

Step#3: Factors For Estimating Impact

Focus on the impact of the successful attack. It concentrates on the technical impact and business impact.

Step#4: Determining The Severity Of Risk

Proceeding with the following steps:

  • Find Likelihood & Impact based on Score
  • Determine Severity

Step#5: Deciding What To Fix

Once the risks are classified, then prioritize list to determine what to fix.

Step#6: Customizing The Risk Rating Model

Three ways to customize the model are:

  • Adding Factors
  • Customizing Options
  • Weighting Factors

OWASP Top 10: How Each Risk Is Analyzed

The table illustrates how each risk is analysed in the OWASP Top 10 document :

each risk analyzed

OWASP Top 10: 2013 & 2017 Web App Security Risk

The threat environment for the API and web application continually changes. To appear up-to-date, OWASP Top 10 periodically updates their list with the recent dangerous security vulnerabilities. Recently, it announced the release of OWASP Top 10 Critical Web Application Security Risks.

Here is the comparison of OWASP Top 10 – 2013 (Previous Version and OWASP Top 10 – 2017 (Current Version)

owasp 2013 vs 2017

As shown in the above illustration:

  • The vulnerabilities A4 – Insecure Direct Object Reference and A7- Missing Function Level Access Control in the 2013 list are merged and listed as A4-Broken Access Control in the 2017 list.
  • Moreover, in the OWAPS 2017, three new risks called A4:2017-XML External Entities (XXE), A8:2017-Insecure Deserialization, and A10:2017-Insufficient Logging and Monitoring are added additionally
  • The risks A8 – Cross-site Request Forgery and A10 – Unvalidated Redirects and Forwards was found in the only minimum percentage of applications, both are dropped from the list of critical web application security risks.

    For More Details on OWASP Top 10 2017 Risk …

Rapid rise in SSL TLS security vulnerabilities

Courtesy : Hack2Secure

Encryption is a valued, supported in maintaining integrity and privacy. It maintains the data safe from the attacker’s eyes. It stops people mugging the app usage habits, passwords, and credit card details. As the advancement in technology continues, the complexity to stay secure also continues to rise. This makes the people encrypt their network with secure standard protocols, SSL/TLS. SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are cryptographic protocols, which enables secure communication over the network.

As per the reports of security experts, most of the organization begins to encrypt their internet traffic.

According to the ESG Report :

Nearly 87 % of the enterprise they measured encrypt at least 25 % of their entire network traffic

Likewise, Zscaler, Inc, the top cloud security enterprise announced

An average of 60 % of the communication over their cloud has been using SSL/TLS

These statements sound that organizations begin to believe that they are halfway to the web safer with SSL/TLS against the cookie stealing, content hijacking, eavesdropping, and censorship.

While this internet security protocol is a boon for the organization who have privacy concerns, their IT teams will need to face a huge traffic influx; since, they can’t look inside the network without decryption technology.

Unfortunately, online attackers are now stepping up their SSL/TLS facility to conceal their malicious activities. This scenario forces the organizations to understand the fact that the increase in the SSL/TLS usage comprises both legitimate as well as malicious happenings, as attacks rely on legal SSL certificate to spread their malicious content.

In addition to the reason of exploiting new vulnerabilities that pave the way to use SSL adoption as the weapon in the enemy’s hand, attackers find a new benefit of using SSL/TLS as it masks and complicate the detection of attack traffic in the application and network level traffic.

According to the Global Application and Network Security Report published by Radware:

In 2016, 39% of the surveyed organization accepted that they have been victimized by the SSL vectors

The following figure illustrates the Radware measure regarding enterprises, which experienced SSL-based attacks.

ssl based attack

Radware explained that the SSL based attacks come in several forms:

  • Encrypted SSL Floods
  • SSL Renegotiation
  • HTTPs Floods
  • Encrypted Web Application Attacks

In addition, the researchers of Zscaler.Inc states that the cyber criminals are turning to SSL/TLS vulnerabilities to deliver malicious attacks. They revealed that they have blocked approximately 8.4 million SSL/TLS based traffic request per day. Among those requests, they find that 600,000 request comprises advanced threats.

malicious content delivered over ssl/tls

Image Source: Zscaler

They have found that various attack types concealed within the packets of SSL/TSL. Most primary types include malware, adware, exploits kits and malware call-backs.

The other key findings of the researchers on the communication over Zscaler cloud are:

  • The malicious content being transferred over the SSL/TLS protocol has expanded in the last 6 months.
  • They have blocked around twelve thousand phishing attacks, per day transferred over SSL/TLS
  • Among the web exploits that are happening per day, approximately 300 hits include SSL as a portion of infection chain
  • New malicious payloads exploiting SSL/TLS for the C&C process
    • 60 % were encompassed of various Banking Trojan families
    • 25 % were encompassed of ransomware families
    • 12 % were encompassed of info-stealer Trojan families
    • 3 % were from other assorted families

How It Complicating Detection And Mitigation?

With these findings, there is no doubt that the leveraging of encrypted traffic as an outbreak vector is on the upfront. This rise is further challenging several mandatory solutions for detecting as well as mitigating threats. Most of the organizations don’t include the action of the inspecting SSL/TLS traffic in their security process because it demands decryption of encrypted traffic that challenges the IT team.

Because the SSL and encryption are effective at complicating several attributes, which support determine whether traffic is legitimate or malicious. Most of the cyber-attack solutions failed to identify the malicious traffic from the sources of encrypted traffic and isolating that traffic in order to mitigate them. The decrypting & re-encrypting the SSL/TLS traffic raises the needs of traffic processing and in many cases, requires effort beyond the performance of the devices that are used for mitigating attacks. Most of those devices are stateful, inline and unable to manage SSL encrypted attacks.

A survey of Radware, regarding the capacity of available security solutions for decrypting, inspecting and re-encrypting traffic states that most are functioning blindly. Around 75% of the industry experts doubt their security strategy to offer complete protection against the encrypted attack.

As more and more attacks rely on the SSL/TLS, enterprises require taking the essential steps to ensure that their entire data is protected and the bad traffic is not sneaking past their fortifications.

Information Security Guide To Risk Management Assurance And Security Consideration

Courtesy : Hack2Secure

The security risk is the major cause of vagueness in any enterprise. Thus, organizations increasingly focus on determining and managing that risk before they affect their business. The ability of the organization to manage the Information Security risk will support them act more confidently on the business protection.  In addition to this, companies should assure that their security measure will function as intended. For this, they need to consider security in the system support and operations. In order to help the organizations, here we presented the outline of the risk management, security assurance and security considerations in the system support and operations with the reference in the NIST Special Publication 800-12 Rev. 1.

Information Security Risk Management

The risk is nothing but a measure of a level a unit is susceptible by an event or circumstance, and characteristically a function of the adverse influence, which would rise of the event or circumstance happens and the possibility of occurrence.
Risk Management is the procedure of reducing the risks to enterprise operations and assets, other enterprises, individuals and the nation.
Four steps involved in the risk management are:

1. Framing Risks –This step defines how enterprises create a risk setting for their environment in which decisions regarding risks are made. Its main purpose is to launch a risk management procedure, which addresses how enterprise intent to assess, monitor and respond to risks while making transparent and explicit the risk perceptions, which organization habitually use in both operational and investment decisions.

2. Assessing Risks – This step defines how enterprise evaluate risks within the enterprise risk frame setting. Its main purpose is to determine:

  • Threats to enterprise operations and assets, other organizations, individuals, and nation
  • Internal & external vulnerabilities of enterprises
  • The harm to the enterprise, which may happen given the possibility of threats exploiting weaknesses
  • The possibility that harm will happen

3. Responding to risk – This step addresses how enterprise responds to risk once that is determined according to the risk assessment results. Its main purpose is to offer a consistent, enterprise-wide response to the risk based on the enterprise risk frame by:

  • Creating alternative sequences of actions to respond to risk
  • Assessing the alternative action sequences
  • Identifying the corresponding sequence of actions reliably with enterprise risk tolerance
  • Implementing risks, responses according to the selected sequence of action

4. Monitoring Risk – This step addresses how enterprise monitors risk over the period of time. Its purpose is to:

  • Check that planned risk response measures are properly implemented and that security needs derived from or traceable to enterprise mission/ functions, federal legislation, regulations, directives, standards, policies, and guidelines are fulfilled.
  • Identify the ongoing efficiency of the risk response measures
  • Determining risk influencing changes to system and environment of the organization

NIST Risk Management Framework (RMF)

Risks management Framework promotes the strategy of almost real-time risks management & ongoing system authorization via the continuous monitoring process implementation. It allows senior leaders gain the essential details to make cost-effective and risk-based decisions with respect to enterprise system supporting their basic missions and functions. It also integrates security aspects into the enterprise SDLC process.

The following figure depicts the overview of the RMF:


Categorize – Organization needs to categorize the systems as well as the information managed, stored and transmitted in accordance with impact analysis.

Select – Then, the organization needs to involve in selecting the initial set of system baseline security controls according to the security categorization and tailoring & supplementing the control baseline as required accordance with the enterprise risks and local condition assessment.

Implement – Enterprise is accountable for implementing information security controls and defining how those controls are working within the system and operation.

Assess – At this step, the enterprise needs to assess the security controls with the proper assessment procedures and to identify the level which the controls are executed correctly, operating as intended & producing the expected outcome.

Authorize – As per the result of the security control assessment, a senior official in the enterprise authorizes the system to function and continue to function. The senior official makes this decision according to the identification of the risks to enterprise assets & operations, other organizations, individuals and the nation resulting from the system operation and the decision.

Monitor – The final stage of the RMF is to monitor the security controls continuously to guarantee that they’re effective even changes happen in the system and the environment. Enterprise monitors the security controls on the continuous basis, including evaluating control effectively, documenting alteration to the system, conducting security influence analysis of the related chances & reporting the security status to the designated officials.

Information Security Assurance

Authorization & Assurance
NIST Definitions

nist defination
Security Engineering

The size & complexity of the systems today make creating a reliable system a priority. System security engineering offers a straightforward approach for creating dependable systems in the complex computing environment. This section presents the two divisions of assurance methods & tools:


1. Design And Implementation Assurance

This method addresses the design of the systems and whether the features of an application, system or component satisfies the software requirements & specifications. It examines the system design, progress, and installation. It can be applied throughout the entire lifecycle of the system, but generally associated with the development and implementation phase. This method can be achieved by using the following techniques:

Advanced Or Trusted Development – The advanced or trusted development methodologies, system architectures or software engineering techniques can offer assurance in the development of COTS (Commercial off-the-shelf) products & customized systems. For example, formal modeling, security design & development reviews, ISO 9000 quality techniques, mathematical proofs, ISO 15288 or trusted computing base (TCB).
Reliable Architecture – The reliable system architecture that uses fault tolerance, shadowing, redundancy or RAID features are primarily linked with system availability.

  • Reliable Security – Ease of safe use is the main factor that resides in the reliable security that postulated that the system is simpler to secure is possible to be secure.
  • Evaluations – Evaluation of a product normally includes testing. It can be performed by several kinds of the enterprises, including independent enterprises such as professional & trade organization, domestic & foreign government agencies, individual users or commercial groups.
  • Assurance Documentation – Assurance documentation can report the system or specific component security. System-level documentation defines the security needs of the systems and how they’ve been implemented. Component documentation will be an off-the-shelf product, while the implementer or system designer will typically create system documentation.
  • Warranties, Integrity Statement & Liabilities – Warranties are the additional assurance source and it gives the sense of commitment to correct the errors within the specified timeframes. It also speaks about the quality of the product. Integrity statement is a certificate or formal declaration of the product. It can be increased by the promise to liability (pay for losses) if the product doesn’t follow to the integrity statement.
  • Manufacturer’s Published Assertions – The published assertions to the developer or manufacturer present a limited amount of assurance according to the reputation.
  • Distribution Assurance – It is essential to aware that software has received without modification particularly in case it is distributed. We can use digital signatures and check bits since they can provide high assurance about that code hasn’t been modified.

2. Operational Assurance

Operation assurance reports whether the technical features of the system include vulnerabilities or are being bypassed and there needed procedures are being tailored.

The organization utilizes three methods to keep operational assurance:

1. System Assessments –  An event to evaluate security. Assessment methods comprise examination, interview, and testing.
2. System Audits – An independent examination and review of the records & activities to evaluate the system control adequacy and to guarantee compliance with launching policies and procedures. There are several methods and tools, which can be used to audit including:

  • Automated Tools – Used to support uncover threats and vulnerabilities.
  • Internal Control Audits – Review controls in the system to determine whether they are effective by using techniques like testing, observation, and inquiry.
  • Using The System Security Plan (SSP) – Presents implementation details against the system that can be audited.
  • Penetration Testing – Involves several methods to effort to break the system security.

3. System Monitoring – Process for keeping ongoing security awareness, vulnerabilities & threats to aid enterprise risk management decisions. The methods and tools used in system monitoring are as follows:

  • Review System Logs – Analyze system-generated logs to find security problems.
  • Automated Tools – Examples of automated tools used to monitor the system for the security issues are malicious code scanners, checksum, password strength checkers, host-based intrusion detection system, system performance monitoring analysis and integrity verification programs.
  • Configuration Management – Provides assurance that organizational system in function has been configured to standards and needs, that any alteration to be made are revised and that such modification has been authorized by the management preceding to implementation.
  • Trade Literature/Publications/Electronic News – Furthermore, it is essential to monitor these external sources of information that includes details about the security vulnerabilities, patches and other things that influence the security.

Security Considerations In System Support And Operations

System support & operations refer to entire aspects involved in the running of a system. The failure to include security as a portion of the support & operations of systems can result in damage to the enterprise. The following are some of the categories that organization’s policies and procedures fail to address:

  • User Support – An essential security consideration for the user support peoples is being capable to recognize which issues are security-related.
  • Software Support – Several elements involved in the software support. One element controls what software is running on the system. Another element ensures that software hasn’t been altered without proper authorization.
  • Configuration Management – Process of chasing and approving the alterations to the system to ensure that the changes don’t unintentionally or unknowingly affect security. In addition, it ensures that changes are replicated in other documentation like a contingency plan.
  • Backups – System support officials or users often back up the data and software. It is important to backup only the necessary detail and in a secure way.
  • Media Controls –  Includes a wide range of measures to offer environmental and physical protection as well as accountability for digital & non-digital media.
  • Documentation – To ensure consistency and continuity, the entire factors of system support and operations need to be documented.
  • Maintenance- If the system maintenance is not proper, then the security vulnerability will get introduced.

In addition to effective risk management and security assurance, the organization should ensure security consideration at the system support and operation for implementing the flawless information security in their business.