Skip to content
NGTEdu Logo

NGTEdu

A PRODUCT OF NGTECH.CO.IN

NGTEdu Logo

NGTEdu

  • Home
  • Cyber Attacks
  • Malware
  • Vulnerabilities
  • Data Breach
  • Home
  • Cyber Attacks
  • Cybersecurity and OWASP in an Increasingly Digital World
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Cybersecurity and OWASP in an Increasingly Digital World

4 years ago Tripwire Guest Authors
Cybersecurity and OWASP in an Increasingly Digital World

As the world increasingly moves to a digital format, cybersecurity is becoming more important than ever. It’s especially significant since, according to a recent survey by Sophos, 51% of businesses in America experienced a ransomware attack in 2020. That’s a staggering number of security vulnerabilities that truly shouldn’t exist in the modern day and age. Yet, it’s relatively understandable.

The push for apps hitting the market quickly has become a driving factor in a lot of development teams, and sometimes, that means that cybersecurity takes a back seat. In fact, this is why a lot of companies have begun adopting the DevOps model with the hope that they can not only overcome security and compliance challenges but also release a product within a tight deadline.

Application Security

Fundamentally, the issue of application security is multi-faceted, with a variety of techniques, philosophies, and certifications that can be applied to make all applications safer. 

For example, take the recent update to MITRE’s Common Weakness Enumeration (CWE), which itself was built on the incredibly popular ATT&CK Framework. Sponsored by the U.S. Cybersecurity & Infrastructure Security Agency (CISA), the whole purpose is to categorize security weaknesses and vulnerabilities with the hope of understanding the specific flaws of each category and how to mitigate them. In fact, CWE has over 600 categories, with everything from buffer overflow to cross-site scripting and even race conditions. 

This update couldn’t have come sooner, too, especially since some experts predict that cyberattacks will escalate given the massive increase in both remote work and the Internet of Things (IoT). This is exactly why cybersecurity understanding is not optional for these companies, as hacking tools are becoming more commonplace. It’s important that any tool that connects to the web has some form of cyber resilience.

In fact, it’s this distinction between cyber resilience and cybersecurity that companies often get wrong. It’s not a choice between one or the other, and it’s not enough to simply throw as many coding standards as possible at the problem. Instead, companies and developers must develop applications with cyber resilience in mind such as using Continuous Integration / Continuous Delivery (CI/CD) pipelines to code with fewer vulnerabilities or using more reliable web hosting.

Web & Cloud Security

As you can imagine, a lot of the modern world is hosted in the cloud, and therefore, cloud security plays a big part in ensuring that data stays safe. In fact, cloud-hosted application security has become a problem, especially since there often isn’t a cloud-specific DevSecOps person on hand to make sure that the application is safe from potential outside vulnerabilities.

Thankfully, there are security protocols ,such as the security compliance principles of the National Cyber Security Center (NCSC), which set out easy-to-follow rules on how to approach security for the cloud. Actions such as protection of data in transit, authentication, customer separation, and ensuring the customer is using the service securely are all basic concepts that can significantly increase cybersecurity and resilience.

Security responsibility also includes website security standards. There are several ways to protect and secure website infrastructure such as edge protection and using a secure web gateway. 

What tends to interfere with better cybersecurity for websites are things like performance optimization, which may make a website more responsive. When done in the absence of a security mindset, this can be an approach that can lead to a lot of problems. 

A major contributing factor to the lack of web security is the absence of overall availability and experience of developers in this field. In fact, according to a recent survey, nearly 60% of developers have less than five years of experience, which can sometimes make it difficult for companies to keep up with not only the most modern techniques but also some of the more skilled malicious actors out there.

The Importance of OWASP

Clear and simple standards are important when it applies to things like overly complicated code. Sometimes, in the drive to make sure that code is secure, developers might forget to also take into account the best practices of application development, especially considering the immense time pressures they are under.

This is where the Open Web Application Security Project (OWASP) becomes a valuable guide. OWASP is a set of strict guidelines and criteria for application security. The OWASP checklist helps developers more easily integrate the recommended security standards while also helping to avoid coding flaws that can compromise security.

While OWASP is quite large in terms of how it goes about ensuring standards, here’s a quick review at the different methods it uses:

  • Output Encoding: Any information entered by a user has to be encoded before being committed since it is a possible vector for attack. This means output needs to be contextually sanitized using a standard testing routine. In fact, .Net Core has output encoding built-in.
  • Input Validation: It’s important to make sure that data that is input by a user is valid and doesn’t allow for any form of attack. This often takes the form of checking against a variety of lists that make sure that input data is either secure or not going to lead to some form of injection attack.
  • Session Management: Ensuring the ability to handle several connections to a web app at the same time is vital to security. This is where HTTP as well as other techniques such as generating new session IDs on re-authentication and having session inactivity timeouts play a role.
  • Cryptographic Practices: As with anything on the web, it is extremely important to maintain strict confidentiality and integrity of the data. Good cryptographic practices including secure failing of cryptographic modules, policies for cryptographic key management, and the use of and implementation of a trusted system are essential to achieve this.
  • Communication Security: Man-in-the-middle attacks are much too common, and this is where it’s important to make sure that not only is the data secure from outside interception but that it’s also easily understandable by the authorized receiver. Strong implementation of TLS is important along with the appropriate configuration of the protocol.
  • Database Security: Valid database credentials and turning off unnecessary features are paramount to ensuring database security standards.
  • Memory Management: With a variety of memory-leak-related security breaches recently, it’s important to keep memory at the forefront of security considerations. For example, a buffer-overflow can be a huge security hole, and the same applies to a reliance on ‘garbage collection’ such as connection objects and file handles.

Given that there is often a disconnect between the most recent technologies and current skill levels, it can be important to get back to the basics when it comes to programming and cybersecurity. 

Keeping up to date with encryption standards is an important task that a lot of SecOps professionals might overlook or feel too busy to do. Similarly, keeping code simple is often something that more experienced developers tend to forget, and this can cause issues down the line for everybody involved.

Conclusion

Cybersecurity is a multi-faceted problem that is only getting worse as digital services continue to take over the world. That being said, it’s not necessarily the end of the world, and good cybersecurity is definitely achievable, especially with the easy availability of standards such as those offered through OWASP. 

It’s also important to consider the specific skill set of security developers. Make sure to not only maintain their security credentials but to also help them to grow professionally. The aim is always to be innovative rather than reactionary when it comes to security.

About the Author: Gary Stevens is an IT specialist who is a part-time Ethereum dev working on open source projects for both QTUM and Loopring. He’s also a part-time blogger at Privacy Australia, where he discusses online safety and privacy.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.

The post ” Cybersecurity and OWASP in an Increasingly Digital World” appeared first on TripWire

Source:TripWire – Tripwire Guest Authors

Tags: Cloud, Encryption, Malware, Microsoft, Privacy, Ransomware, TripWire

Continue Reading

Previous Suspected REvil Ransomware Affiliates Arrested in Global Takedown
Next Comply 2 Connect (C2C) – A Solution to Quell the Rogues in Our Midst

More Stories

  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

German Agencies Warn of Signal Phishing Targeting Politicians, Military, Journalists

3 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

China-Linked DKnife AitM Framework Targets Routers for Traffic Hijacking, Malware Delivery

23 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Vulnerabilities

CISA Orders Removal of Unsupported Edge Devices to Reduce Federal Network Risk

1 day ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Asian State-Backed Group TGR-STA-1030 Breaches 70 Government, Infrastructure Entities

1 day ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach

How Samsung Knox Helps Stop Your Network Security Breach

1 day ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Compromised dYdX npm and PyPI Packages Deliver Wallet Stealers and RAT Malware

1 day ago [email protected] (The Hacker News)

Recent Posts

  • German Agencies Warn of Signal Phishing Targeting Politicians, Military, Journalists
  • China-Linked DKnife AitM Framework Targets Routers for Traffic Hijacking, Malware Delivery
  • CISA Orders Removal of Unsupported Edge Devices to Reduce Federal Network Risk
  • Asian State-Backed Group TGR-STA-1030 Breaches 70 Government, Infrastructure Entities
  • How Samsung Knox Helps Stop Your Network Security Breach

Tags

Android APT Bug CERT Cloud Compliance Coronavirus COVID-19 Critical Severity Encryption Exploit Facebook Finance Google Google Chrome Goverment Hacker Hacker News High Severity Instagram iPhone Java Linux Low Severity Malware Medium Severity Microsoft Moderate Severity Mozzila Firefox Oracle Patch Tuesday Phishing Privacy QuickHeal Ransomware RAT Sim The Hacker News Threatpost TikTok TripWire VMWARE Vulnerability Whatsapp Zoom
Copyright © 2020 All rights reserved | NGTEdu.com
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More here.Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT