Meetup Vulnerabilities: Escalation of Privilege and Redirection of Funds
How CSRF affects companies
Cross-Site Request Forgery (CSRF) is a vulnerability which can be exploited on vulnerable web applications. The exploit is successful when a web application accepts a malicious request that it would normally reject. In this case, the web application is tricked into believing that a specific user has been authenticated with the website. But in reality, it is a forged authentication. Once the vulnerability has been successfully exploited, the attacker can gain access to specific functions of the web application.
Cross-Site scripting defined
CVE, which stands for Common Vulnerabilities and Exposures, is an encyclopedia of unique, publicly known security vulnerabilities and exposures maintained by the MITRE Corporation. The database, which was launched in 1999, is free and available for public use. In the CVE, a vulnerability is a mistake in the software which could be used by a hacker to infiltrate the application or network, while an exposure is a mistake that could be used as part of the process to accessing an app or network.
CVS (Concurrent Versions System) is a system for managing the source code within a development team. It allows for collaborative development by supporting a means of tracking each change made to the source code over any period of time. CVS was one of the first pieces of software to support this functionality and generally today, it is used in older operating environments as there are more powerful tools available on the market now. However, CVS static code analysis isn’t supported by CVS itself. External static code analysis solutions that can integrate into CVS and pull sources from it should be used.
The Common Weakness Enumeration Specification, shortened as CWE, is an formal list of common, real-world software vulnerabilities to offer one common language to all the different entities developing and securing software. CWE’s ultimate goal is to help the security testing industry mature in their application security programs and the security testing of their projects.
The CWE is written in one common language to incl for the causes of security vulnerabilities found in software and applications. It’s a community project which is contributed to and designed by developers and software engineers alike from around the world.
CWE focuses on several areas of software development for enterprise level entities. One area is where Software Assurance and resources are dedicated to ensuring that the supply chain for software is protected from vulnerabilities. This looks at incrementally improving approaches to software assurance that reduce risk and the chance of new code being exposed to known problems.
Cybersecurity can be defined as the body of processes, practices, safeguards, and technologies an organization uses in the protection and defense of information systems. Along with information systems protection, cybersecurity is also concerned with protecting the software and hardware against attack.
Research from the Gartner Group has demonstrated that nearly 75% of successful attacks made against an application are exploiting vulnerabilities which are already well understood, and for which a patch or remediation recommendation for is available. Some say that DevOps can by its very nature make software less secure. That’s because DevOps teams work with agile methodologies, and often in continuous deployment environments that may quickly fall behind the application security practices used in environments with fewer deployments.
Directory Traversal Defined
Directory Traversal (DT) is a HTTP exploit that malicious hackers use in order to gain access to account directories and the data contained within. A successful exploit can result in the entire web server being compromised, including access to directories that are used to control access to restricted areas. For example, the Root Directory is the top-level directory on the server’s file system. Directory Traversal can be used to gain unauthorized access to this sensitive directory. However, Access Control Lists (ACLs) can be used to control and manage user access for viewing, modifying and executing files.
Droid Intent Data Flow Analysis for Information Leakage (DidFail) is an analysis method that is designed to identify and expose potential data leaks within Android applications. This methodology eventually helps developers learn about secure coding practices, eventually helping them to produce robust mobile applications that are tougher to crack. More and more leading organizations worldwide are introducing DidFail into their environments to enhance mobile application security.
How critical is secure development?
Web threats are constant threats to company security. A single data breach can cost companies thousands or even millions of dollars. If a malicious attacker gains unauthorized access to the company network, it can put sensitive company information, confidential customer and client information, and company assets at risk. Malware is the leading cause of data breaches, and malicious code can often be hidden in application code without detection. Applications, whether developed on-site or third-party implementations, must be completely secured. The cost incurred for each lost or stolen record containing sensitive and confidential information increased more than nine percent to a consolidated average of $145, while overall, the average data breach has increased 15% over the last year for total company response costs of $3.5 million.