Watch out for the most common Web application vulnerabilities
The best recommended practice is to start on the premise of not trusting anyone when it comes to Web application security. This helps an enterprise’s developer to constantly watch for the validity of the source that the application or code came from and go through several methods of testing the codes.
Here is a list of most common application vulnerabilities:
- SQL injection tops the list on Web application vulnerabilities – When a SQL code is added from an outside source or maybe even from an inside source, it is best to check the code to be sure it is valid.
- Cross scripting vulnerabilites – Once again the data that a user supplies needs to be validated. It is best not to trust any code that comes through. On this type of vulnerability, attackers input a code into a web application such that it is executed by the browser. When a user opens the browser that code redirects them to a malicious page. Developers do use their own home grown validation methods, but the recommendation is to use security controls libraries to test them out thoroughly.
- Two-factor authentication for Web application session management – This is old by now, since 2 FAs have to to be the rule instead of an exception. Active sessions can easily be disrupted and hijacked unless the logins are encrypted. Vulnerabilities can be discovered by performing both code reviews and penetration tests, and particular focus should be paid to how session identifiers are handled and the methods used for changing users’ credentials.
Over and above all, it is absolutely necessary to have the group that handles all of the security issues of applications, network, firewalls, databases, etc. trained to follow security policies to a ‘T’ and constantly validated through tests.