As a security engineer who has spent the majority of my career in AppSec, it’s always curious to me as to why we keep seeing the same vulnerabilities over and over again in pentests, especially when testing new applications. In theory, due to being well-documented and understood, high severity vulnerabilities such as Cross-site Scripting (XSS) and SQL Injection (SQLi) should be close to obsolete, however, as anyone in AppSec can tell you it’s never a major flaw that drags the industry down, it’s death by a thousand vulnerabilities. Due to these vulnerabilities being frequently flagged by automated scanners and often discovered as false positives, developers become desensitized to these alerts and often ignore them.
The root cause of these issues is in part due to how developers are learning (or not learning) about security in college, boot camps, or even the workplace. When I asked a few people recently who have gone through coding boot camps, this is what they said: “In most coding bootcamps, you learn to build fast and ship features. Security is often an afterthought, if it’s taught at all. The focus is on making things work, not on making them secure.”
These issues are not surprising when the emphasis is only put on shipping code that works. To remedy the security conundrum, organizations slap a DAST/SAST scanner on the code and hope for the best. These tools can either be not configured or tuned correctly, or not a fit for the organization, which results in noise that gets ignored. As a pentester, so many of the vulnerabilities I see should have been caught by a scanner or through a manual code review upstream before the application was deployed.
What can we do as an industry? First, create secure coding standards that are adhered to in your company. Next, find appropriate tools that are fine tuned for your application and environment. Finally, leverage pentests to learn from your mistakes and educate your teams on business logic and code flaws that could make an application vulnerable to attack.
Here are some of the most common vulnerabilities I see and ways to think about fixing them.
1. Broken Access Control
Broken access control remains one of the most critical and prevalent vulnerabilities. This occurs when users can access resources or perform actions beyond their intended permissions. Modern software should implement robust access control mechanisms, including:
- Enforcing the principle of least privilege
- Implementing role-based access control (RBAC)
- Utilizing robust server-side access control checks
- Thorough testing of access control logic
2. Injection Flaws
Injection vulnerabilities, particularly XSS and SQLi, continue to be a major threat. Modern applications should protect against injection attacks by:
- Using parameterized queries or prepared statements
- Leveraging an up-to-date Object-Relational Mapping (ORM) framework
- Implementing input validation and sanitization on untrusted input
- Employing contextual output encoding on user controlled content
- Utilizing a carefully tuned Content Security Policy (CSP) header
- Using modern web frameworks with built-in XSS protections
3. Security Misconfiguration
Security misconfigurations are common but easily preventable. Modern software development practices should include:
- Automated and manual security configuration checks
- Regularly conduct security audits and pentests
- Keeping all software and systems up-to-date with the latest security patches
- Implementing proper error handling to prevent information exposure through error messages
4. Cryptographic Failures
Inadequate encryption and poor key management continue to expose sensitive data. Modern applications should:
- Use strong, up-to-date encryption algorithms and protocols
- Implement proper key management practices
- Ensure all cryptographic operations are performed server-side
- Use secure hashing algorithms for password storage
- Use standard cryptographic libraries and avoid custom implementations
5. Insecure Design
Insecure design practices lead to vulnerabilities that are difficult to fix post-development. Modern software development should incorporate:
- Threat modeling during the design phase
- Security-focused code reviews on new code
- Regular security training for developers
- Integration of security throughout the software development lifecycle (SDLC)
We as an industry need to address these common weaknesses. Organizations can significantly improve the security posture of their modern software applications while also meeting tight release windows or new feature deadlines with consistent and supported changes. Let’s begin by implementing security best practices from the design phase to deployment and develop robust and secure software for today’s modern development environment and ever changing attack surface.
Sources:
[1] https://dev.to/bytehide/top-10-application-security-vulnerabilities-in-2024-1m9l
[2] https://www.bytehide.com/blog/application-security-vulnerabilities
[3] https://complexsecurity.io/portswigger-academy/portswigger-access-control
[4] https://www.dts-solution.com/injection-flaws/
[5] https://echeloncyber.com/intelligence/entry/hackers-perspective-web-app-vulnerabilities-detailed-error-messages
[6] https://www.synack.com/blog/preventing-cryptographic-failures-the-no-2-vulnerability-in-the-owasp-top-10/
[7] https://medium.com/@shivamsharma.ss484/owasp-a04-2021-insecure-design-34ef11e83e6f
[8] https://thecyberexpress.com/what-are-vulnerabilities/
