6 ways to address the OWASP top 10 vulnerabilities

Introduction

The OWASP top 10 list of vulnerabilities has long been the source of data that information security professionals trust with making critical security decisions. There are many different sources where you can read about these vulnerabilities, especially from OWASP itself. 

We thought that we would take a slightly different approach and talk about some of the best practices that you can institute when trying to apply the OWASP recommendations. This means a brief description of the problem and then some ideas on how you can implement the solution, using the best practice recommendations by OWASP themselves. Let’s get started.

1. Injection

Injection vulnerabilities cover issues and flaws that have to do with SQL, NoSQL, OS and even Lightweight Directory Access Protocol (LDAP). The injection vulnerability happens when an attacker sends malicious data that is seemingly legitimate or harmless into an application or interpreter as part of valid user input. This means that although the data appears to be legitimate to the application, the command that is executed will have unintended and negative consequences to the system.

Best practice

Luckily, there are many things that can be done to prevent these kinds of attacks. The main best practice approach is to institute data validation within your application. This means that user input fields must be tightened up. Only characters that are absolutely necessary must be allowed. This prevents an attacker from slipping in a command or query into a text input because the character will be validated and rejected, based on your design. 

Another important place to strengthen your defenses against injection is in your patching. Applications, services and operating systems institute security updates and vulnerability patching on a regular basis, and this is one of the best and easiest ways to ensure that your applications and systems (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Chris Sienko. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/mc_HZ52jcsQ/