/nov 2, 2015

10 Common Security Vulnerabilities

By Evan Wade

You don't need to be an expert to know that hacks, attacks and other digital security breaches are never a good thing. But one industry's annoyance is another industry's nightmare — and if you've read Veracode's "State of Software Security Report, Volume 6," then you know that most common security vulnerabilities are more frequent in some industries than others. Here's a brief look at the top 10 attacks on the list:

1. Code Quality Issues

This issue's number one for a reason. Every industry queried in Veracode's study saw at least half their submitted apps impacted by poor code issues. That's a mind-boggling thought, and a call to action for all industries to implement secure coding practices like early expert input and frequent, automated scanning.

2. Cryptographic Issues

Cryptographic issues are some of the most common security vulnerabilities because cryptography hides important stuff: If passwords, payment info or personal data need to be stored or transmitted, you can bet they're encrypted in some way or another. Cryptography is also a field unto itself, with white- and black-hat experts galore, so make sure you talk to an expert instead of developing your own. It's just common sense.

3. Information Leakage

Information leakage takes a lot of forms, but the basic idea behind it is simple: When attackers and others can see info they aren't supposed to, and when that info can be used to do something harmful (launch an injection attack, for instance, or steal user data), then you've got a leak. Because it has so many faces, dealing with it requires a truly security-minded expert. Enough said.

4. CRLF Injection

CRLF injection is, at a basic level, a sort of gateway to bigger attacks. By placing end-of-line commands in unexpected places, attackers can inject code that does all sorts of nasty things, according to Veracode, including website defacement, Cross-Site Scripting, browser hijacking and a lot more. Though it's potentially easier to defend against than some other attacks, woe be unto those who ignore it.

5. Cross-Site Scripting

Another injection attack, Cross-Site Scripting (otherwise known as XSS) occurs when attackers abuse areas of a site built around dynamic content, executing code that could result in hijacked user accounts, hijacked web browsers, and more. This is especially an issue in content forms that allow for common coding characters like question marks and slashes. This Veracode blog piece gives more info on the attack and the troubles it can cause, as well as solutions.

6. Directory Traversal

Directory traversal is scary because it doesn't require much in the way of tools or knowledge to do damage. Indeed, anyone with a web browser and mastery of basic concepts could attack an unprepared site, gaining access to the larger file system and all the "good" stuff it contains — usernames and passwords, critical files, and even site/application source code. Given the low barrier to entry, consulting an expert for help with this one is highly recommended.

7. Insufficient Input Validation

In a nutshell, properly handling and sanitizing your input ensures that the stuff users send to your server can only act in predictable ways. Fail to do this and you have insufficient validation — a number of common security vulnerabilities that allow malicious actors to read and steal data, hijack sessions and browsers, execute malicious code, and a lot of other nasty stuff. Don't make assumptions about what users can and cannot do with inputs — treat it all with a paranoid mind-set.

8. SQL Injection

Though it's low on this particular list, SQL injection's ease of use makes it one of the most common security vulnerabilities around. Yet another injection attack, this one's all about SQL queries: Attackers repeatedly put them in input areas, playing a guessing game that can cause users, admins and enterprises serious trouble. Want more info? This Veracode blog post breaks it down in greater detail.

9. Credentials Management

When bad people get unauthorized access to a secure system, bad things happen. Sometimes, these bad things come as a direct result of this access; other times, the access gives information that can be used to launch larger attacks. In either event, taking careful measures to confirm identity when giving access to important info is never a bad idea.

10. Time and State Errors

This one's trickier than most, and is due to the rise of distributed computing — multiple systems, multithreaded hardware and the like performing simultaneous tasks. Like a lot of other attacks, it also has a lot of faces and can result in a lot of bad outcomes when attackers utilize it, like execution of unauthorized code. It's also similar to other multifaceted attacks in that expert help is needed to negate it in all its forms — you can't defend against an attack you can't predict, after all.

Stay Secure

This is only a taste of the data available in Veracode's study. For a more in-depth look at vertical industries and the types of vulnerabilities most likely to strike them, be sure to check the full paper — and don't be afraid to reach out for help if you want to make security a stronger point of focus in your own applications. It only takes one breach to make you really wish you had.


Related Posts

By Evan Wade

Evan Wade is a professional freelance writer, author, and editor from Indianapolis. His time as a sales consultant with AT&T, combined with his current work as a tech reporter, give him unique insight into the world of mobile/Web security and the steps needed to properly secure software products. Follow him on Twitter.