I was listening to a podcast a few weeks ago, and the host mentioned that he had been reviewing the show when he realized he had accidentally been listening to an episode that was over a year old. The confusion amassed because, during the news segment, all of the stories were the same as the most recent episodes; multiple Java vulnerabilities were disclosed, data breaches due to SQL injection had occurred, etc.
Last week, the Open Web Application Security Project (OWASP) released further evidence that the vulnerabilities of years passed were the same as they are today. OWASP released the 2013 edition of the Top 10 Web Application Vulnerabilities. Below is a list with a comparison to the 2010 Top 10 list:
-A2 Broken Authentication and Session Management (was formerly 2010-A3)
-A3 Cross-Site Scripting (XSS) (was formerly 2010-A2)
-A4 Insecure Direct Object References
-A5 Security Misconfiguration (was formerly 2010-A6)
-A6 Sensitive Data Exposure (2010-A7 Insecure Cryptographic Storage and 2010-A9 Insufficient Transport Layer Protection were merged -to form 2013-A6)
-A7 Missing Function Level Access Control (renamed/broadened from 2010-A8 Failure to Restrict URL Access)
-A8 Cross-Site Request Forgery (CSRF) (was formerly 2010-A5)
-A9 Using Components with Known Vulnerabilities (new but was part of 2010-A6 – Security Misconfiguration)
-A10 Invalidated Redirects and Forwards
As you can see, the changes to the Top 10 list are minimal with only a few attack vectors swapping places. A simple Google search will display millions of websites that are potentially vulnerable to the most common exploit, SQL injection.
Ask yourself: “Am I vulnerable?” If so, do you know how to fix it? Don’t go through the process alone. Contact Reclamere today!