It seems web applications are not as safe and secure as we would all like to think. At least that is what a recent report on web application security shows. It appears that over half of all applications do not meet security quality and standards. The report covers around 5,000 applications in the past year and a half. Over 80 percent of all the applications tested failed to meet the standards of the OWASP Top 10, a benchmark chronicling the most typical web application errors. The OWASP also listed the top security risks, which are: injection, XSS (cross-site scripting), insecure direct object references, security misconfiguration, and failure to restrict URL access. Other security risks are unvalidated redirects and forwards, insufficient transport layer protection, insecure cryptographic storage, and broken authentication. It seems these are becoming more and more common.
Focus on time and budgeting, not security
So, why is this? Apparently, the companies are less interested in security than in time and budget. Secure coding standards, threat modeling, and other security processes are badly integrated into the lifecycle of the application, according to experts. These weaknesses become real dangers for the operation of software with time. The main reason for all this is that people are not well aware when it comes to secure coding. There is little actual knowledge of application security, because such classes are not offered in most computer science courses at colleges and universities. There is a marked lack of formal training on a professional level as well.
Experts agree that most applications are in very bad shape as far as security is concerned. While modern frameworks can prevent certain risks, developers continue to ignore the weaknesses of their applications, which is a problem because the application depends on multiple security layers, and any one of these can be accidentally switched off by administrators and other staff.
Business logic flaws
Another risk in this regard involves business logic flaws, including predictable location of funds or insufficient authorization. This is where security lapses enable resourceful persons to achieve things like reserving a seat on a flight without paying for it. This lets them bide their time until they have saved up enough money – and all the while the seat remains booked. Another such situation is guessing the profit of a given public company before the data is officially released, being able to predict this accurately. It is actually not that hard, but the company will lose a lot of money as a result and suffer greatly.
What can be done?
One possible solution is providing developers with security controls, such as using SQL safely to avoid injection. Often developers are lacking control and information and use it the unsafe and wrong way. Many languages are not equipped with a built-in tool to make input safe from cross site scripting. These tools are called libraries and are available where there are safe scripts, which makes it a lot easier to ensure application security. It is also important to have appropriate security design and guidelines in place. Without these factors, we will inevitably suffer security breaches more and more often.