24. Sep 2020
BusinessSecurity training OWASP TOP 10 - Is it worth investing in it? Take a look at our experience!
Have you watched this year's WWDC conference from Apple? While in the past the main attraction of their presentations was especially the nice design and fine-tuned functionality today it is different.
Recently, there has been a significant difference and the topic of personal data protection and security has taken an important place. In the context of several recent scandals, it is gaining more and more attention. Users themselves are also much more interested in companies´ process of sensitive data and how secure this data is with them.
For us at GoodRequest, the topic of safety is always a priority. Not as a phrase, but a natural part of any internal process or project for the client. That is why, as part of our educational process, this year we are focusing on improving the security of our applications and the protection of personal data in them. We have just passed security training focused on the most common vulnerabilities of OWASP TOP 10 web applications. In the following lines, I will explain its course and also the reasons why it pays off or does not to invest in it.
Who is safety training aimed for?
You may say that security does not concern you, because you only implement a thin client - whether a web or mobile application and security are handled mainly by backendists. However, the opposite is true and there is a number of vulnerabilities that are also used by an improperly implemented frontend. The security of the application is a very complex matter and it is necessary that at least the most common vulnerabilities are known to all team members and they know how to protect their application against them. At such a training, you will really see that one single mistake is enough in the most hidden part of the application and it can lead to the compromise of sensitive user data. Therefore, we decided to involve all members of the web team (from absolute juniors to leaders) as well as a representative of the QA department.
What is the course of safety training?
Our trainer was ethical hacker Tomáš. He told a theoretical basis for each point in the OWASP TOP 10 ranking (more on this list at the end of the article) and then we tested the theory directly in practice, by "hacking" test applications designed directly to demonstrate the most well-known vulnerabilities. Of course, there was also a discussion about our technical solutions and their confrontation with Tomáš's experience.
During the training, we fully realized how important it is to keep up with the times and use the latest available (but also sufficiently proven by the community) technologies. Many attacks are feasible only on older technologies, or their outdated versions.
The quality of our technology stack was shown by the fact that we were not able to reproduce any of the tested vulnerabilities on our production applications and the discussion was more on a theoretical level
At this level, we discussed how we could further strengthen our already very secure applications.
Who is an ethical hacker?
At first glance, the phrase "ethical hacker" may sound like an oxymoron. However, there really are people who, in their spare time, try to improve the security of applications on the Internet without any malicious intent. They point out the vulnerabilities they have identified and are pushing technology companies to fix them as soon as possible. Sometimes they also get rewarded for it (often only symbolic), but the greater satisfaction for them is that they have just managed to reveal this vulnerability rather than hackers from the illegal side of the barricade. Tomas shared with us a few stories from the career of an ethical hacker and it was really very interesting listening.
What are penetration tests and what are they aimed for?
The best protection against vulnerabilities is regular penetration testing of the application, ideally performed at each release for production. We have already had practical experience with penetration tests from Citadelo, as they have tested several applications from our production. We are glad that they have not identified any critical vulnerabilities yet. However, their recommendations helped us to secure the applications even more, even against situations that are currently possible only on a theoretical level, but could become real in the future
Make sure your data hasn't been stolen (and be prepared to be surprised)
Did you know that you can easily verify that your current password has not been stolen and published on the Internet without your knowledge in the past? On this website, you can find out if your login details have ever been compromised by entering your e-mail address. We were sincerely surprised that each of us was once a victim of such a data leak. That's why it's extremely important that you use a unique, strong enough password for each service, or use a password manager. Of course, we recommend using two-factor authorization wherever possible (especially in your primary email inbox).
Try "hacking" on your own
If you want to try some of the vulnerabilities in your spare time, be sure not to do so on production applications available on the Internet. It's illegal and you could have big problems with it. For this purpose, for example, the DVWA (Damn Vulnerable Web Application) project is used, which contains an application vulnerable to vulnerabilities from the OWASP TOP 10 list, and you can run it, for example, in a virtual machine environment. It contains several levels of difficulty and also instructions on how to go through each of them.
What is the OWASP TOP 10?
The Open Web Application Security Project is an international non-profit organization dedicated to raising awareness of the most common application vulnerabilities and ways to avoid them. Every year, therefore, they publish a list of the TOP 10 most critical vulnerabilities, which are always updated based on current security trends.
This year's OWASP TOP 10 2020 ranking looks like this:
1. Injection
"Injection" attacks are aimed at misusing untreated (or insufficiently treated) user input - when we blindly believe the data that enters the application and attackers can then use it to gain access to the data or even the entire application. It is therefore necessary to use time-tested methods to treat all application entries and thoroughly test the application for these vulnerabilities after each release.
2. Broken Authentication
This vulnerability is best illustrated by the well-known wisdom of reinventing the wheel. Naively trying to implement your own authentication is practically a guarantee of a successful hacker attack. Rely on a verified standard such as oAuth 2.0.
3. Sensitive Data Exposure
Even if an attacker accesses the contents of the database, it is the responsibility of each developer to protect sensitive user data against further misuse. It is therefore necessary, for example, to protect passwords using the correct asymmetric encryption technology using cryptographic salt and pepper.
4. XML External Entities (XEE)
Although XML technology is no longer the latest trend and its use is gradually declining, by incorrectly implementing XML document parsing, we can very easily compromise our application. Therefore, before using any XML parser, familiarize yourself in detail with its documentation, and if the use of XML is not explicitly necessary, prefer a less complex and thus more secure JSON when communicating.
5. Broken Access Control
Broken Access Control attacks focus on misusing system access rights (such as a non-privileged user login token) to access a protected area that should only be accessible to an administrator. The application backend should verify with each request whether the user has access to the given functionality to secure login tokens against their misuse.
6. Security Misconfiguration
A very common problem is an incorrect misconfiguration the application framework itself, which, in the event of production error conditions, publishes an overly detailed error message that helps attackers in their attempt to break application protection. Before deploying the application, always make sure that you have turned off debug mode, removed all publicly accessible logs and sent only general error messages to users (in no case output directly from the database).
7. Cross-Site Scripting
If application users have the ability to add their own content (such as comments, ratings, etc.), an XSS attack is a very common problem. As with Injection attacks, each user input must be thoroughly validated using the proven tools provided by your chosen framework.
8. Insecure Deserialization
Do you really need to use serialization and deserialization in your application? If so, it is again appropriate to thoroughly study the documentation of serialization libraries and consider all the risks involved.
9. Using Components With known Vulnerabilities
Wordpress is the most widely used framework on the world wide web, and most of the vulnerabilities are caused by outdated versions of Wordpress itself, but especially by the plugins and libraries they use. Therefore, don't forget to regularly update all the libraries and extensions in your projects, and also ideally make an overview of whether you really need all these libraries.
10. Insufficient Logging And Monitoring
If someone attacks you, there's nothing worse than not even knowing about it. The sooner you are informed about a possible attack, the faster you can react to it and reduce its effects as much as possible.
Find out more on the official website of the OWASP project.
Is investing in safety training worthwhile?
From our point of view, the security of applications (and the sensitive data in them) is an extremely important topic today. For a company that develops such a solution, there is no bigger nightmare and worse marketing scandal than newspaper headlines pointing out that you have neglected something and many people have lost their privacy due to your inconsistency. So we think that in this case, entrusting yourself to professionals with many years of experience is an investment that will definitely pay off in the future.
You can also look at the previous lines in the context of the specific applications and web solutions we develop. Thanks to this, you will understand even better why we approach security in such a responsible way and what data we work with in various projects. Take a look at our portfolio. :)