OWASP Top 10 2013: the Main Threats to IT Systems

OWASP is the global organization that produces resources, articles and materials to improve web software security, and this year it has prepared a new Top 10 of the main threats to IT system security.

Over the last ten years, security problems have become more complicated and it has become increasingly difficult for organizations to make applications secure. OWASP therefore tries to spread awareness of cyber threats and support good management of them.

Let us briefly look at the items in this ranking:

1. Injection – Better known as SQL Injection, it occurs when a hacker can send an arbitrary query to the database. It mainly concerns DBMS databases used to store and manage the data of a web application. If queries are not properly filtered, the hacker can obtain and modify saved information or add new information. Consequences: access to sensitive data and passwords, dynamic web pages that generate malicious code to attack users, credit card theft and unauthorized access to administrative areas.
2. Broken Authentication and Session Management – This occurs when sessions are not managed correctly, such as failure to protect credentials and session tokens or cookies.
3. Cross Site Scripting (XSS) – If input data is not checked, a malicious hacker can send dangerous scripts to the user's browser. In this way, credentials and sensitive data can be stolen and the victim can be forced to download malware.
4. Insecure Direct Object Reference – A developer may use direct references to files, directories, database records and other resources. If there are no controls on references, a hacker could manipulate or access web-application resources without control.
5. Security Misconfiguration – This vulnerability concerns the server side and the software installed on it. Every application must always be updated and configured correctly.
6. Sensitive data exposure – Anyone designing a web application must avoid failing to protect users' sensitive data, such as credit card codes.
7. Missing Function Level Access Control – When we use an account on a site where we are registered, we can use certain features. It is very important to check permissions for every single function implemented in the web application, so that users can access only the features they are authorized to use.
8. Cross Site Request Forgery – This is an attack that forces a user to perform unwanted operations on a website where they are logged in, without their knowledge. To do this, the attacker exploits social engineering, such as email or chat.
9. Using Components with Known Vulnerabilities – An obviously dangerous choice. Using components with vulnerabilities is very dangerous because they could be exploited to tamper with the system.
10. Unvalidated Redirects and Forwards – This happens when the application allows the user's browser to be redirected to other websites. If this practice is not controlled, a malicious actor could direct the user to pages with malware or designed for phishing campaigns, even with graphics very similar to the original application or site.

OWASP has certainly helped create information among developers, IT professionals, users and managers with the Top 10 web IT system threats.

Today, to check whether your portal, reserved area, website or application is affected by these issues, you can rely on professionals at a contained cost. EasyAudit is the best choice for helping companies protect corporate networks and web applications. All certified with the EasyAudit Checked seal, a guarantee for your customers!