When it comes to security, web applications are consistently the most vulnerable to penetration. Here are some of the top flaws in web applications:
1. SQL Injection
An obvious choice for a web application flaw, it still exists in many web applications leaving hackers an easy way to access sensitive information or compromise the web application.
2. Weak passwords
Having a strong policy of password selection can prevent illegitimate user or administrative accounts which can help keep the web application intact.
3. Autorisation problems
This pretty much has the same impact as weak passwords, but is more common in more complex applications.
4. Command or code injection
Command / code injection will probably easily let the hacker compromise the server, making it a critical vulnerability. Don’t risk this one.
5. Information Disclosure
Try to have as little information disclosure on your web applications, but it’s almost impossible to have no disclosure.
For more information please go to:
Popular Breaches of January to June 2012
Let’s have a look into most popular of the latest breaches that have fooled the masses so far in 2012. These incidents can always help us to learn how to catch future attempts of hacking in new programming software. Though there have been upwards of 300 massive breaches the last 6 months, here are the top ones of each month for those who are interested in creating a hacking calendar for next year.
January 2012: Zappos
Though the hackers were able to get hold of 24 million records including last 4 digits of credit card numbers and even encrypted passwords, Zappos was ready for such a breach and was able to reduce the damage caused to the Zappos customers. They not only had a high level of encryption for its passwords, they also had a quick response plan in place to repair and prevent further damage.
February 2012: University of North Carolina
A large organization must be able to allow their databases to be accessed by a large number internal people while keeping the them private from the rest of the world. Exposure of 350,000 records, including financial information by mistake means that setting systems configurations is essential, especially for large organizations such as universities.
March 2012: Global Payment Systems
This one was by far the biggest doozy of the year with exposure of over 7 million records including 1.5 million credit cards. Credit card companies have completely lost trust in Global Payments until they can once again prove their security standards. Though they followed the check-box compliance provided at the time of auditing, they proved to be negligent at other times allowing for such a mass breach.
April 2012: South Carolina Health and Human Services
In this case, the intruder was an actual employee of the company sending himself patient records every day for months. Authorized entry to databases is the easiest form of hacking since it is less expected and not easy to detect. However, information theft of this nature can be detected with the help of a data-centric security program which can track data movement externally as well as internally.
May 2012: University of Nebraska
Another university breach, this one resulted from the university consolidating into a monolithic system allowing the breacher to have access to 654,000 student records. If organizations decide that a monolithic system is more efficient, the security behind it must be very solid.
June 2012: LinkedIn
Unlike Zappos’s breach, LinkedIn was caught with its pants down on this beach. They thought they could get away with just any old encryption scheme leading them to a breach of over 6.5 million user passwords and a relatively slow response. Let this be a lesson learned and better luck next time.
Though many of the security vulnerabilities of web applications have already been resolved, there is still very weak security for mobile applications according to many security companies. All of the security battles fought and won in the development of security systems for building websites are not being applied and are lost on the smartphone app developers. App develops are more interested in rapidly developing the app while forgetting to secure their apps properly, leaving them wide open for breaches.
It seems like SQL injection vulnerabilities are being addressed and are vanishing in the web application world, but unfortunately mobile apps are being ignored in mobile applications. Has no one learned their lesson? Even the big companies are ignoring these issues.
Those mobile app developers who really want to succeed in the market would benefit greatly from the lessons learned in web application security. Resolving these vulnerabilities would give them a huge edge over those who are ignoring them and only focusing on the rush to develop and market.
Security experts have been assessing the potential risks involved in using Google Now, introduced on Wednesday as Google’s latest smart assistant upgrade for Androids. Now can give users useful information, such as weather warnings and the best way to get to an appointment, based on their search history.
For more information please go to:
When will the CEOs of businesses listen to the wake call of all these breaches and secure their IT systems properly? Weak security systems have proven to hurt their businesses, their customers, and their stakeholders financially and psychologically. There has been talk of proposing amendments to incentivize up-to-par security systems, but this responsibility rests on the shoulders of the CEO of each company.
Changes in policy will only occur when companies and consumers become aware of these issues and demand that their systems be secured of any weaknesses which can cause breaches and financial loss. Therefore, it’s crucial for every company to have a Chief Security Officer if they don’t already. There is also a need for “penetration testing,” which is used to test out the security levels of the computer network and to simulate attacks on the system. This way, real attacks could be prevented and in the event of a real attack, damage could be minimized.
For more information please go to:
Sign up today & never miss an update from the Checkmarx blog
Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.
Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.