The Open Web Application Security Project (OWASP) puts out a regular list of the top 10 most critical web application security risks with the hopes of raising awareness and helping organizations develop a culture of more secure code.
With that in mind, let’s take a look at the top five:
1. Broken Access Control
This means that restrictions on authenticated users are not properly enforced, leading to one user able to see other users’ files or modify other users data.
2. XML External Entities
Fun to say, not fun when it happens. This occurs when older or badly configured XML processors evaluate external entity references within XML docs. That can expose internal files and allow for internal port scanning, remote code execution, and denial of service attacks.
3. Sensitive Data Exposure
This is where sensitive data is not encrypted in transit or at rest, leaving it exposed for attackers to steal or modify.
4. Broken Authentication
If authentication and session management is implemented wrong, attackers can compromise passwords, keys or session tokens and assume other users’ identities.
5. Injection
Whether it’s SQL, NoSQL, OS, or LDAP, an untrusted dataset gets sent to an interpreter tacked on to a command or query, tricking the interpreter into executing unintended commands or accessing data without authorization.
Those are just the top five. If you don’t want to be the next headline because of a data breach, get the full top 10 list from OWASP and use it to raise awareness in your team.