Monday 19 April 2010

No surprises in the OWASP 2010 tail – Injection remains the number-one stinging risk in 2010

OWASP have released their 2010 “top 10” Application Security Risks. Topping the list (again) is the “Injection” risk. People involved in both application security and database security will not be surprised. The world is awash with applications that have each been poorly engineered in their own individual manner. It is an easy mistake to make, but very difficult to rectify without good tools and technologies to deploy.

Comparing this year’s results and those from 2007 shows that the top three risks remain unchanged 1. Injection; 2.0 Cross-Site scripting (XSS); 3. Broken Authentication and Session Management. New entrants to the list are: Security Mis-configuration, ranked sixth, and Un-validated Redirects and Forwards coming at the bottom of the list.

It is interesting that security mis-configuration is a rising risk. It seems that system owners are at least trying to use security features, but are failing to get it correct. Getting any security system just right without disturbing the business is notoriously difficult.

Even more difficult is retrofitting security into an enterprise application environment which has a complex array of components – each tailored to the business. Good application security requires strong knowledge of the application operation combined with the ability to accurately prevent (or block) out-of-policy interactions. For example, the protection of a database from a poorly written web facing application requires a firewall that can determine that a query is inappropriate and stop it from ever reaching the database.

One does not need a crystal ball to forecast next year’s winner of the list!