The pitfalls of web security – TechTalks


By Ivan Tsarynny

The web security problem attracts advocates, malicious actors, ethical hackers and proposed solutions from all sides, sometimes ignoring the root causes of compromised client-side security and its devastating implications. OWASP, the largest web application security assessor, recently released its Top Ten ranking, putting flawed access control at the top of the list. This change represents the growing problem with access control since the last version of OWASP four years ago. The decoupling of front-end code from back-end in modern web applications highlights the ease with which cybercriminals abuse access control to log into dashboards or impersonate end users. No matter how sophisticated or well integrated a web application is, threat actors will sooner or later find exploitable code. The key is to identify it before they do.

Vulnerability analysis and threat detection are still in their infancy, especially considering the volume and rapid growth of malware and its widespread distribution. By the end of last year, 1.3 billion bot threats were detected, demonstrating both the urgent need for effective protection against these threats and the inability to avoid them entirely. Protecting client-side data has become increasingly valuable and strategic, especially as online dependency has increased since the start of the pandemic. In this increasingly cyber-centric atmosphere, IT professionals and web application developers must understand the vulnerable position in which end users find themselves. More than focusing primarily on the smartest or strongest code configuration, web application security must adopt a strategy that recognizes the inevitability of the attack and how to identify an endless attack of malicious activity.

What is faulty access control?

Broken access control, as the name suggests, refers to the methodology used by malicious actors to gain access to protected resources that they should not have access to, such as successfully logging into an administrative account without using the credentials. appropriate administrative identification. Vulnerabilities in this space abound, from client-side request forgery (CSRF) to inter-origin resource sharing (CORS) information. Examples include changing an end user’s password to block them from an account in order to then steal valuable personal information. In 2020 alone, the Federal Trade Commission received 2.1 million reports of consumer fraud, mostly related to online shopping. Billions of dollars are at stake, affecting not only consumers but the survival of the online industry itself.

Mitigating these threats can be done but requires a comprehensive approach. Logging access control failures, implementing general access control mechanisms, and disabling web server directory listings are a few steps you can take to limit who is allowed to access sensitive dashboards. Web applications are involved in 43% of all breaches, requiring a robust approach to security that not only implements strong policy, but also effective threat detection and prevention.

Some key security components

Beyond code-specific recommendations, such as ensuring that dynamic third-party source code is secure enough to be reliable, client-side security should include basic protections that any online store, bank, or system. health could easily deploy.

Vulnerability Management and Penetration Testing: A comprehensive website health assessment is an essential first step in determining where entry points are. Code exploits are abundant and inevitable, forcing any domain owner handling customer data online to seek out a team of trustworthy testers to safely exploit vulnerabilities in the site’s IT infrastructure. Diagnosing weak spots, behavior patterns, or blind spots can inform vulnerability scanners about a website’s value to malicious actors and how best to fend off specific threats.

Content Security Policy (CSP): As mentioned in reference to broken access control, the application of control mechanisms within a website infrastructure is necessary to block certain attacks aimed at impersonating end users, or should simply render more difficult to access dashboards containing sensitive data. Cross-site scripting (XSS), JavaScript code injection, and data skimming attacks are all aimed at stealing data, distributing malware, or degrading a site, which the CSP makes much more difficult for business people to achieve. pirates.

Web Application Firewall (WAF): Protecting a website from relentless Internet attacks is essentially the job of a WAF. While it cannot protect against all attacks and should be used as part of a more comprehensive security strategy, WAF mitigates threats by filtering and monitoring HTTP traffic, protecting against tampering cross-site and bypassing attempts at broken access control.

How can web security evolve?

Stressors associated with the pandemic, such as increased isolation and global shutdowns, have quickly accelerated the rate at which online addiction was already increasing, leading to an 800% increase in web application attacks last year. While server-side security is undoubtedly essential, client-side security has lagged behind as malicious actors continually target end users for the valuable information they possess. Personal information, personal information, financial information, legal documents and more are at risk of being stolen if comprehensive security measures are not taken seriously.

Implementing a CSP and WAF can make a website more secure, but never hack-proof. Code exploits are ready to be exploited, especially when they rely on third-party software. Checking code reliability is a critical part of protecting the client-side attack surface, but can only be successfully performed if proper vulnerability scanning and penetration testing have been performed. Web security is more than understanding the need for cybersecurity protections, it’s anticipating attacks before they happen, knowing they most likely will.

About the Author

Ivan Tsarynny

Ivan Tsarynny is the co-founder and CEO of Feroot Security, a data protection intelligence software company. Feroot is a behavior-based web security monitoring platform that analyzes the actual behavior of scripts and third-party tools and their level of access to data on the web connection, credit card payment pages, and online shopping. ‘other pages with valuable data.

Leave A Reply

Your email address will not be published.