It was some four years ago when the last Open Web Application Security Project (OWASP) list of top ten online security risks was published. The digital landscape has evolved so much in such a short space of time that it was a relief to see the new 2017 OWASP draft recently published. The draft takes into consideration a string of fundamental changes to the architecture of web applications in recent times.
The 2017 OWASP report is consensus-based, highlighting security issues generated by the accelerated adoption of exciting new technologies as well as the availability of third-party frameworks and the evolution of cyber-attacks. There was considerable feedback and input involved in the creation of the OWASP 2017 top ten report, demonstrating the importance of highlighting threats online while raising awareness to developers and decision-makers within businesses and organisations. Let’s take a look at some of the new additions to the OWASP top ten and discuss how these digital dangers relate to content marketing as a whole.
XML External Entities
XML external entities are one of the newest additions to the OWASP top ten in 2017. Cyber-attackers can exploit XML-based web services by uploading XML or dangerous content into an XML document to exploit vulnerable code or integrations. XML-based web services are therefore at risk of denial of service attacks which can temporarily freeze a service or downstream integration. In December 2017, it was suggested that developers had been targeted with a new XML external entity attack which could impact millions of users across integrated development environments. Developers are required to combat these attacks by patching and upgrading XML processors and libraries used in applications and disable XML external entity processing as a result.
If a web application or API deserializes hostile or tampered objects supplied by a cyber-attacker, it is possible for remote code execution attacks to take place, which are some of the most serious cyber attacks possible. Serialization is often found in web services such as content management systems (CMS), databases, file systems and cache servers. In terms of content marketing, the likes of WordPress are at risk of object injections. In fact, PHP.net, which powers WordPress and other CMS solutions, states on its website that developers should not “pass untrusted user input to unserialize() regardless of the options value of allowed_classes”. Put simply, developers that are unserializing insecurely must act fast to patch their systems and ensure they aren’t trusting serialized data sent from user inputs and passing it immediately back to unserialize() where attackers can get their hands on it.
Insufficient Logging and Monitoring
Cybercriminals are also beginning to exploit web applications with insufficient logging and monitoring. In the event that failed logins, successful logins and high-value transactions are not monitored and logged in a system – or spotted quickly enough – cyber-attackers can achieve their goals without being detected in time to be blocked out. This issue is highly prevalent across the digital community today, with services required to generate logs and audit trails of access and transactional data that can be easily consumed and monitored.
With many of the new issues stated above, the solution is to adopt a proactive approach to web application security. Reactive controls are too late. It’s hoped the new OWASP 2017 top ten will raise awareness about security risks posed in 2018 and encourage organizations to implement effective, proactive practises to mitigate these online dangers.