October is known for being the “spookiest” of all the months. While there’s always debate on if ghosts, ghouls and witches are real, no one can argue the existence of scary vulnerabilities lurking in the dim corners of the web and on applications. In honor of the Halloween season, we’ll explore these creatures of the dark (web) and provide some tips on the best ways to incorporate application security to stay protected no matter what time of year, while still being careful not to fear-monger like some cybersecurity companies do.
The Evil Creatures Lurking on the Web
The vulnerabilities and risks associated with applications can be just as scary as the evil characters that came to life in the lines of the world’s most popular fairy tales. According to the WhiteHat Application Security Statistics Report, businesses are scanning 20 percent more applications yet remediation rates for insecure code are still falling. Some of the most prevalent application security threats plaguing today’s organizations include:
Insufficient Transport Layer Protection (TLS)
Insufficient TLS continues to be the most prevalent vulnerability type for mobile devices. By definition, insufficient TLS is a security weakness caused by applications not protecting any network traffic. In the past, without any TLS exploits available, this vulnerability was purely theoretical. However, this is no longer the case. Insufficient TLS in particular is worrisome because of the rate organizations are moving their production apps to the cloud. This vulnerability can expose the data of thousands of unsuspecting customers.
Just as the name implies, information leakage is a weakness where an application exposes sensitive data. According to the Web Application Security Consortium, in the most common form, it can be the result of not scrubbing HTML or script comments containing any company or customer information, improper application or server configurations or differences in page responses for valid vs. invalid data.
Reflected Cross-site Scripting (XSS)
A reflected cross-site scripting (or XSS) vulnerability is a result of when user input from a URL or POST data is displayed on the page without being stored. This vulnerability allows attackers to inject malicious code infecting an application or a network. Famous for making it in every OWASP Top 10 list of most critical web application security risks, XSS can be very dangerous to an organization.
However, just like the Wicked Witch in the Wizard of Oz or He-Who-Shall-Not-Be-Named in Harry Potter, with the right tools and practices in place, most vulnerabilities and hackers trying to exploit them can be defeated.
“Ghost” (Vulnerability) Hunting 101
Incorporating best application security practices can not only prevent adversaries from taking advantage of vulnerabilities, but can allow security and development teams to stop vulnerabilities before they are even formed. Those best practices include:
- Replace any old technology – Legacy technologies and software do not have the capabilities to protect data as well as the new ones do. Replace or update your software and hardware as needed.
- Stay educated – Security and development teams need to be up to date on the latest vulnerabilities and exploits. Businesses should pay attention to the news and see what other companies in their industry are doing to stay secure and any attacks they’ve experienced recently.
- Scan for bugs and problems – Continuously monitoring code is the best way to find problems. Enterprises should be asking themselves if anything has changed in the threat landscape and going back and reviewing old issues to prevent them from occurring again.
- Remediate vulnerabilities as soon as possible – Due to hard deadlines, development teams can rush to meet their goal and not properly address errors in the code. Therefore, it’s important to patch vulnerabilities as soon as they are found and not wait until the application is deployed.
- Deploy an application security tool – The right application security tool helps software teams build their applications at the right speed, securely. Tools can help automate testing and conduct vulnerability scanning as the application is being built.
When There’s Something Strange in the Neighborhood…
At WhiteHat Security, we’re here to act as a helping hand to find any strange creatures that might be lurking in the dark. Whether you are looking to strengthen any existing application security programs, secure your code or reduce your business risk – we have the solutions to help. Visit https://www.whitehatsec.com/products/solutions/ to learn more.