Security expert and Mozilla Tech Speaker Sumanth Damarla is talking at Voxxed Days Bristol about building Web Security Awareness. We caught up with him to get an idea of the threats to web security in 2017, and how to test and guard against them.
What are the top 5 threats to web security in 2017?
According to OWASP, the top 5 web application vulnerabilities are
- A1: Injection.
- A2: Cross-Site Scripting (XSS)
- A3: Broken Authentication and Session Management.
- A4: Insecure Direct Object References.
- A5: Cross-Site Request Forgery (CSRF)
Is using Open Source security code (e.g. OAuth libraries) making websites vulnerable to attack?
Organizations believe open source code is secure, since they still believe Linus’s famous quote: “Given enough eyeballs, all bugs are shallow.”
This perspective needs to be changed. It cannot be taken for granted that code available free on the internet is secured. Without making the effort to secure a piece of code yourself, you cannot assume that it is secure. This effort may involve dynamic code analysis, pentesting etc.
When it comes to open source dependencies, for instance, the central repository houses 400000 open source components that are downloaded 13 billion times a year. This means that open source code appears everywhere within the development community. To secure your website from attacks due to open source components you have used, you can follow these steps:
- Take note of all the open source components used in your website.
- Mark components with highest severity (severity above 8) and update them at regular intervals.
- Keep track of the usage of open source components.
- You can use automation tools like Artifactory, Sonatype Nexus and WhiteSource to manage your open source components.
How do you detect vulnerabilities?
Vulnerabilities in web applications can be found with dynamic code analysis and penetration testing. There are many proprietary and open source security tools available to test your web application. I am mentioning a few top open web security tools below:
- OWASP ZAP
- Open VAS
- Vega Scanner
How has web security changed over the past 5 years?
There has been a significant change in the approach of hackers. Their goals have also changed. In the inception, hackers just used to annoy people by changing content on web pages and doing silly pranks. However now there are professional hackers/gangs with the single aim to steal millions of dollars without leaving a trace.
The leakage of user identities (say, 100 million user identities) from a corporate website is not big news anymore. No one is seriously concerned about it.
Countries are engaged in a cyberwar day and night trying to decrypt each others data and make the most of it.
Breach detection tools have significantly improved. Now they can detect malicious activities, even if it is done by a legitimate user!
In the course of time, there are far more breaches in websites than were 5 years ago which just makes us realise we haven’t transitioned into a secure environment yet. Yet although there are many bumps along the road ahead, I believe a safer environment is not far away.
For more, see Securing the Web at Voxxed Days Bristol.