Since the beginning of the Open Web Application Security Project (OWASP) in 2003, most of the security threats are still the same, which is a major concern. OWASP is always changing and evolving to help web security professionals protect and fortify websites and networks against possible attacks.
It has become the knowledge base that can help experts to foresee and meet security challenges and vulnerabilities head-on. These days, the number one threat which the organisation faces is injection. It has been on part of the Top 10 list since its inception in 2003.
Injection — or injection flaws — occurs when databases and other systems are vulnerable where an attacker can send or inject malicious data through systems. This allows hostile, untrusted data to be sent to an interpreter or user as part of a command or query, which allows attackers to access often critical and private data without authorisation. This data is then filtered down to clients and end-users, infecting them with viruses, malware and other security problems.
Hackers frequently use injection as a means of attacking and taking over databases. They can easily automate injection attacks using their established botnets as soon as a vulnerable application is launched in the cloud. When a hackable system is launched on Amazon Web Services within a few seconds an injection attack could issue a direct database command to access important information such as passwords, social security number or delete vital data. Successful injection can cause loss of data, loss of goodwill and credibility, the loss of sensitive client information and much more.
Injection attacks are quite easy to defend against as there are only a few small techniques that need to be made by an application’s developers to make a web application completely impervious to an injection attack, and yet they persist as a major vulnerability to a large number of web applications. Security executives could easily create risk profiles and build in solutions as applications are updated.
Through these attacks a company could incur huge damage which could lead to losing customer data, lawsuits, restitution, sales funnel danger due to loss of customers’ trust, not to mention the PR disaster — as it is to quickly experiment with insecure versions of products and then launch them before examining their vulnerabilities.
Across web application development organisations, there is no default security framework to prevent even the simplest of attacks, such as injection.
Solutions for consideration
There are a lot of web application companies that are vulnerable to cyber attacks. To safeguard one’s organisation plenty of solutions can be implemented quickly to bring the necessary amounts of protection to the engineering process and remove them from being targeted.
Short-term capital investment for vulnerability analysis can help to assess whether or not the company is vulnerable. Apart from this, there is also a long-term, cultural solution that could benefit technology companies for decades to come and would likely shake threats such as injection from the Top 10 security threat list. It starts with how security is approached as part of the college curriculum.
Importance of cyber security degree for students
One of the main reasons why injection has remained part of the list of web application threats for so long is that there is no emphasis on indoctrinating engineering students to prevent even one of the simplest things hackers do. However, in recent years the education landscape has begun to change. With increasing awareness and concern over growing cyber threats facing organisations, government and individuals, new cybersecurity degree programs are created by universities and colleges. Many of these programs are still in their initial stages but other programs have been thoughtfully designed with inputs from the industry thought leaders, field practitioners, local and national stakeholders with the aim of producing cybersecurity professionals with the learnings and skills to combat sophisticated attacks
Cybersecurity is a national priority and requires a team approach regarding education which means that close collaboration with the cybersecurity community is necessary for an effective program. In other words, companies need to be proactive to make sure they are partnering with universities and hiring from colleges that produce highly-skilled developers. Today, many employers seek a combination of both experience and education. All cyber security education is not created equal that is why it is important to choose the course wisely.
One way to enact this change is for organisations to only take interns from colleges that teach security. This way one can save the time and money if those coding an organisation’s applications or updates had an understanding of what the OWASP Top 10 threats were?
Additionally, it would make such a difference if a higher education institution could emphasise to potential partners and hiring organisations that its engineering students build code that is vetted and scanned for security risks. Developers who code with putting security at priority help prevent the crisis of these persistent threats and eliminate the costs of training after breaches which occur.
The schools that start producing graduates with a knowledge of the most consistent security problems should be at an advantage in a highly competitive market. These students would become future employees to the most sought-after companies.
For organisations building web applications, hiring engineers with security knowledge and implementing vulnerability checks into development processes should be a no-brainer for a number of reasons. This change needs to happen sooner than later.
(Views expressed in this article are a personal opinion of Rohan Vaidya, Regional Director, Sales, India, CyberArk.)