This web application and API vulnerabilities webinar was presented by Kyle Lai on 07/18/2020 at CISO Platform – a 40,000 member international community dedicated to information security (www.cisoplatform.com) 43% of all data breaches were through hacker attacks on web applications in 2019. And that’s more than twice as many as reported in the 2018 (Verizon DBIR). Kyle discusses the most prevalent web application and API vulnerabilities and recommends best practices and tools to mitigate them
Why Modern Web Applications and API’s Are Not Secure:
- Insufficient training on Modern Authentication (oAuth, OIDC) and secure handling of access tokens
- Insecure implementation of oAuth leads to access token leak and account take over
- Insufficient training on new technologies and platforms like cloud and oAuth
- Lack of developer training in secure coding practices
- Attack trends and current mitigation techniques aren’t be incorporated into coding practices
- Security is being compromised in the DevOps pipeline in favor of deployment speed
- Weak security in Open Source Libraries and Container Vulnerabilities
- Web Application and API’s inherit vulnerabilities from Open Source Components
- Rate limiting session management is lacking
- Lack of Penetration Testing to identity vulnerabilities
To Reduce Web Application Vulnerabilities:
- Train developers on secure coding practices.
- Also train software developers on the organization’s modern authentication (i.e. oAuth) implementation
- Review authentication and authorization design and implementation
- Remove credentials in the code and configuration files; Use Key Vault
- Train developers to securely develop in cloud platforms with cloud features
- Always fix the root cause of vulnerabilities
- Implement Web Application Firewall (WAF)
- Scan for vulnerabilities in the code (Static Testing) and when the web app is running (Dynamic Testing)
- Likewise, scan for open source components vulnerabilities and apply patches (NPM, Maven, Pypi)
- In addition, scan for vulnerabilities on supporting infrastructure such as containers, web servers, and apply patches
- Perform manual vulnerability assessment / penetration testing on high risk web applications and APIs
Please see our related discussion of recent Verizon Data Breach Investigation Reports (DBIR)