Get a free application, infrastructure and malware scan report - Scan Your Website Now

10 Common Web Application Security Mistakes

Posted DateDecember 4, 2018
Posted Time 4   min Read

From the biggest data breaches and cyber-attacks of the past decade, it is quite clear that marginal and careless mistakes and lapses in web application security have turned out to be dangerous. Even big players have faced heavy losses, not just monetarily but in terms of customers, trust, brand image, and goodwill as a result of the attacks.

We have compiled the list of 10 most dangerous website security mistakes that you must avoid.

1. Invalid inputs

By not validating what content and inputs get uploaded, the website is left vulnerable to injection attacks like cross-site scripting (XSS), SQL injection, command injection, and other such security attacks. Input uploads must be validated from both the server and browser ends. Often, organizations validate inputs only from the browser end because it is easy and fail to validate server end inputs which leads to malicious/malformed data/scripts to run on the website and its databases.

2. Irregular or no website security scans

The importance of regular website security scanning cannot be stressed enough. It is only through regular scanning that we can find vulnerabilities and gaps that exist, and accordingly, fix them. Organizations often make the cardinal error of not scanning their websites every day and after major changes to the business policies, systems, etc.

3. Authentication and permissions

  • Weak root passwords from the admin or server end like admin, 1234, or other commonly used words. These can be easily cracked using password-cracking programs and if the password is cracked, the website will be compromised.
  • Not enforcing a strong password policy and multi-factor authentication for the website users. When the website allows its users to continue with default passwords, allows weak passwords without password expiry, and relies uni-dimensionally on passwords for security, the organization is making itself vulnerable to breaches and attacks.
  • Giving administrator permissions and privileges mindlessly to end-users and external entities make the website vulnerable.
  • Changing folder and file permission structures based on poor advice from the internet to fix permission errors but opening the website up for anyone to change its structure, modify codes, and run malicious programs.

4. Unconsolidated security measures

It often happens that organizations and web developers are not thinking of website security in a holistic manner and therefore, adopting unconsolidated security measures. For instance, they may employ a web security scanner but not a Web Application Firewall (WAF). So, the vulnerabilities and gaps are effectively identified by the scanner, but the website is left in the vulnerable condition till the vulnerabilities are fixed (which takes over 100 days even for critical vulnerabilities) or the developers are focusing on patching the website instead of fixing the vulnerabilities.

5. Homegrown security methods and algorithms

Based on the flawed assumption that homegrown/self-developed algorithms and methods are better and that they are safer as attackers are unfamiliar, developers employ these homegrown and ‘authentic’ security measures. This just increases the probability of vulnerabilities and gaps that can be easily detected by attackers and the bots they employ. It is always better to use well-tested methods and algorithms.

6. Outdated software, Components with known vulnerabilities & unnecessary/unwanted components

Updates contain critical patches and by not updating the software regularly, we are just sending out invitations to attackers (who continuously snoop around for loopholes and security lapses) to orchestrate breaches. Old and wanted files, applications, databases, etc. not being cleaned out from the website create portals for attackers.

Developers using components that are known to have vulnerabilities such as unpatched third-party software, outdated plug-ins, open-source components, uninspected and copy-pasted codes, etc. too make the website insecure, weak and susceptible to attacks.

7. Not tested on a regular basis

While website scanning needs to be done every day and after major changes, it is not sufficient. It is essential to test every bit of code, software, updates, and a component that goes on the website. Also, quarterly penetration testing and security audits by certified security experts is a must. This will ensure that your website is secure and that your users are well-protected.

8. Unencrypted sensitive data

One of the most dangerous mistakes committed by organizations is not encrypting sensitive data such as personal information, credit card, and baking details, passwords, etc. at all times (transit, rest and storage) By not encrypting all the sensitive data and having it plain text format, we are simply increasing the risk of exposure.

9. Missing function level access control

When sensitive request handlers have insufficient or non-existent authentication check, the vulnerability that results is known as a missing function level access control. Example- an unauthorized entity can access a URL that contains sensitive information or hidden functionality, etc. because there is no authentication check put in place. The impact of this vulnerability varies from access to unimportant information to complete website takeover by attackers.

10. Lax attitude towards website security

This is the most dangerous of all website security mistakes. The top management must have a proactive attitude towards website security, investing wisely for the right purposes, developing a sound cybersecurity strategy, and honing a culture of proactivity and preparedness within the organization as well. Silos must be broken, and critical information must be seamlessly shared across departments.

Employing an intelligent, comprehensive, and managed website security solution like AppTrana is a definite way forward. AppTrana takes a 360-degree view of web application security and provides round-the-clock, end-to-end website security with zero assured false positives through everyday scanning of the website, blocking malicious/bad requests by patching the application-layer vulnerabilities until fixed, continuously monitoring for DDoS attacks, analyzing attack patterns and so on. It combines the power of technology and automation with the irreplaceable human expertise of certified security professionals to secure your website while you concentrate on your core business activities.

Stay tuned for more relevant and interesting security updates. Follow Indusface on FacebookTwitter, and LinkedIn

web application security banner

 

Venkatesh Sundar

Venky is an Application Security technologist who built the new age Web application Scanner and Cloud WAF - AppTrana at Indusface as a Founding CTO. Currently, he spends his time on driving Product Roadmap, Customer Success, Growth, and technology adoption for US businesses.

Share Article:

Join 51000+ Security Leaders

Get weekly tips on blocking ransomware, DDoS and bot attacks and Zero-day threats.

We're committed to your privacy. indusface uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.

Related Posts

website security risks
How Can Small Businesses Determine Website Security Risk?

What are the security issues in your web application? How do we determine these website security risks? Keep reading to find out.

Read More
Website Security
5 Website Security Tips to Secure Your Website from Hackers

Website security tips are essential to prevent hackers from getting the best of your data, content, or server. Learn here.

Read More
SaaS Businesses
Reasons Why SaaS Businesses Absolutely Need Website Security

Discover why website security is essential for SaaS businesses to protect against cyber threats and maintain customer trust.

Read More

AppTrana

Fully Managed SaaS-Based Web Application Security Solution

Get free access to Integrated Application Scanner, Web Application Firewall, DDoS & Bot Mitigation, and CDN for 14 days

Get Started for Free Request a Demo

Gartner

Indusface is the only cloud WAAP (WAF) vendor with 100% customer recommendation for 4 consecutive years.

A Customers’ Choice for 2024, 2023 and 2022 - Gartner® Peer Insights™

The reviews and ratings are in!