Open-source software is a great way to add proven functionality to your application, but it comes with risks in the form of software vulnerabilities. If you are using open-source components (and with all likelihood you are), it is important to keep track of new vulnerabilities as they are discovered, so you can upgrade to the latest, patched-up version of the software.
One tool you can use to keep track of open-source vulnerabilities is the list provided by the Open Web Application Security Project (OWASP), which was last updated in 2017. The OWASP Top 10 covers the most critical security risks for web applications.
The following tips should help you protect your software against the OWASP Top 10 vulnerabilities.
1. Establish a Security Plan
Define the security requirements of your organization and lay them out in a clear plan. This should include guidelines for preventative and remediation actions and stipulate who is responsible for carrying out these tasks. Your security strategy should consider the three phases of the vulnerability management cycle: detection, reporting and remediation.
2. Implement Continuous Testing
Continuous testing falls neatly into a CI/CD pipeline, extending the agile philosophy to security. This involves implementing automated tests to complement traditional, more time-consuming and labor-intensive testing techniques. Another crucial aspect of continuous testing is that it occurs throughout the software development lifecycle (SDLC), reducing security debt and the associated bottlenecks later on.
The time you save with continuous testing methods not only helps to shorten software delivery cycles but also enables you to efficiently maintain security once your application has been deployed. Thus, you can detect vulnerabilities in active applications.
3. Use Vulnerability Libraries
You should take advantage of third-party vulnerability libraries, such as the National Vulnerability Database, and correlate the information they provide with the OWASP Top 10. This will ensure that you cover all your bases and protect your application from all vulnerabilities, and not just the famous ones.
To fully leverage the vulnerability testing conducted by the open-source community, you should regularly scan for vulnerabilities. Vulnerability scanners keep track of multiple libraries to keep you constantly updated.
4. Apply Patches and Updates Immediately
Time is of the essence when it comes to mitigating against software security threats. Your software almost certainly contains vulnerabilities, though these usually pose a minimal threat while they remain undiscovered. However, once the vulnerabilities are publicized, attackers can use this information to carry out exploits, so a known vulnerability in your software could well indicate the presence of a zero-day attack.
For this reason, you need to ensure that patches are applied before the vulnerabilities are exploited. There are automated vulnerability management tools that can identify and patch vulnerabilities for you.
5. Scan for Dependencies
Your applications may contain open-source components and dependencies that you are unaware of. This blind spot can provide the perfect opportunity for an attacker to run an exploit without you even knowing. Thus, it is important to maintain visibility over your software and dependencies, and to inventory your assets.
You can use a dependency scanning tool, such as OWASP Dependency-Check, to help you keep find potentially vulnerable components in your software.
6. Log Security Activities
You should implement security logging during the runtime operation of your application. The information you log will then be readily available for forensic analysis and to feed intrusion detection systems. For example, logging user activity can help identify indicators of malicious behavior. Logging is also often a requirement to meet compliance standards and is essential for demonstrating your security history.
7. Use Secure Coding Practices
There are a number of coding practices that you can use to prevent exploits, including output encoding, escaping and encryption. For sensitive data, such as access credentials and personally identifiable information, you should use encryption, ensuring that only users with a decryption key can access the data. Data should be encrypted both in transit and at rest.
Escaping is a measure for preventing misinterpretation and involves adding a special character to distinguish a code snippet as text, and not as the closing of a string. Encoding, on the other hand, is used to protect data from risks presented by the target interpreter, and involves translating code into equivalent special characters. It should be noted, however, that encoding is not the same as encryption, and does not conceal data from malicious eyes.
8. Secure Access to Your Development Environment
Some attacks can be executed from the inside, by injecting malicious code (e.g. SQL injection) or exfiltrating data. Your best bet to prevent unauthorized access is to implement access control measures, such as Role-Based Access Control (RBAC) and Discretionary Access Control (DAC), to restrict access to trusted users.
Authorization and authentication help enforce these access rules, preventing external attackers (and in some cases, malicious insiders) from gaining access to your computing environment. Authorization You can use two-factor, multi-factor or cryptographic authentication to
9. Prioritize Critical Vulnerabilities
Not all vulnerabilities are equal, and given that security threats are time-sensitive, it is important to prioritize the vulnerabilities in your software according to the risk they pose. One way to determine the importance of the vulnerabilities, consider the assets they affect and how they relate to your business operations or the impact they may have on your overall computing environment. The OWASP Top 10 should also help give you an idea of which vulnerabilities to remediate first.
10. Allow for Unpatchable Vulnerabilities
Not all vulnerabilities can be fixed, so it is important to consider your response in the event that you come across such a vulnerability. To determine whether it is necessary or feasible to delete or replace the affected component, run a risk analysis. However, in some cases, replacement is not a viable option. In such cases, you should implement other measures to minimize the risk of exploitation and report it as an accepted risk.
There is an overwhelming number of vulnerabilities out there, and it can be difficult to know where to start. The OWASP Top 10 list provides a good starting point, raising awareness as to the most common and severe web application security risks. To proactively protect against security threats, and to enable the remediation of exploits, it is important to implement a number of complementary security measures that will help you stay on top of the OWASP Top 10. The ten tips presented above should help you cover your bases when planning your web application security strategy, so you can rest a little easier and focus your energies on developing your application.
Author Bio: Gilad David Maayan is a technology writer who has worked with over 150 technology companies including SAP, Samsung NEXT, NetApp and Imperva, producing technical and thought leadership content that elucidates technical solutions for developers and IT leadership. Gilad can be contacted via LinkedIn
Gilad David Maayan is a guest blogger. All opinions are his own.