Year after year, new studies come out from popular vendors and research institutions underscoring that we have quite a ways to go with this thing we call security. Outside of the malware threat that grows a bit more complicated each year, the studies show that we continue to miss the bar in terms of protecting critical systems and sensitive information assets. In a nutshell, we’re missing the basics. That is, the flaws that we already know about and we have solutions for but haven’t yet found the time or political backing to resolve. Read why in 2016 software security, even basic application security, is still as important as ever.
2016 Software Security Weaknesses:
In terms of software and application security, numerous issues are widespread in any given network environment. Such weaknesses include:
- SQL injection that provides direct connectivity into the database
- Weak passwords and password enforcement mechanisms that facilitate password cracking and unauthorized access
- Local file inclusion that allows attackers to access local system files
- Cross-site scripting that allows attackers to glean information from application users
- Buffer overflows that facilitate remote shell access or denial of service
- Default and test files left lying around on servers that contain vulnerable/exploitable code
- User session management weaknesses that allow attackers to take over user login sessions
In many cases, these issues are uncovered through vulnerability scanning, penetration testing, or source code analysis. However, in a lot of instances, people have yet to acknowledge the problems. Ignorance is bliss but only until you get breached. At that point, you’re forced to find and fix the issues that should have already been addressed.
When you combine these challenges with the lack of security knowledge on the part of many developers and QA professionals, it’s a recipe for a breach and lawyer involvement, not to mention subsequent investigations and ramped up audits. None of that is fun, or cheap. Why not spend your time, money, and efforts on preventative security instead? Take a look at your Web applications, mobile apps, and client/server programs. Even those seemingly innocuous marketing websites and content management systems have flaws that can leave deep scars if used against you.
Test now. Test ongoing. Most importantly, be persistent in your efforts.
To read Kevin Beaver’s “Common Oversights in Mobile App Security” click here.