Software is constantly changing and evolving. So why has the Open Web Application Security Project (OWASP) Top 10 List stayed basically the same for the past ten years? Developers are constantly coming up with new ideas and ways to do things. These security concerns are not difficult to solve, and developers know they are happening, so I would posit that the problem lies in hiring sub-par developers.
Let me step back for a moment. This is the first in a series of security related blogs I will be writing with the input of technologists from Amadeus Consulting. Security is not something new in the development world. In fact, as I stated above, the same security concerns have existed for years. OWASP publishes its Top 10 list of security risks each year. My goal in this series is to start by giving an overview of security risks, possible prevention measures, and best practices used by Amadeus Consulting. Moving forward I will dive into the top four security concerns in detail, what to watch for, and some preventative tips. There will likely be some overlap, but I recommend you at least glance through each blog. The fact that the risks have remained virtually unchanged for ten years means that not enough developers are practicing preventative measures, so don’t be one of those developers, or one of the people hiring those developers.
It is much more cost effective to build a site with security measures in place, then to go back and fix a site that was poorly built. A common occurrence is the “basement developer” who is not focused on installing proper security measures, a cheaper option then an established development company. With these basement developers, you get a site built quickly and cheaply, and everything is going great, until one of the OWASP Top 10 risks hits and down you go. Then you could face any one of, or a mixture of, the following costs:
- A tarnished brand
- Losing your user’s trust:
- Losing functionality that could include payment processing, a must for an e-commerce company
- Incurring mandatory audits from 3rd party companies
- Possible court costs
- Higher insurance rates
- Senior tech personal losing their jobs
If you’re not a developer, the first step is to have a general understanding of security risks. Then you can ask informed questions when hiring a developer so that you know they are focused on risk prevention.
Here are the 2013 Top 10 Risks:
- Cross-Site Scripting
- Broken Authentication and Session Management
- Insecure Direct Object References
- Cross Site Request Forgery
- Security Misconfiguration
- Insecure Cryptographic Storage
- Failure to Restrict URL Access
- Insufficient Transport Layer Protection
- Invalidated Redirects and Forwards
I will be diving into the top four in more detail in my following blogs, and you can easily access some basic information on all of these risks here. If you have an existing site, you can hire companies to do a security audit. Not many people think to do this, but I would recommend it if you are even slightly unsure as to the security practices used by your developer.
Stay with me through this blog series and you will be able to ask the right questions to make sure your software is protected. Up next, Injection: The Risk that Never Goes Away.