In this second part of Tag1 Consulting’s Open Web Applications Security Project (OWASP)-based security training, you’ll learn more about the top ten vulnerabilities identified by the OWASP project. Also included at the end of this section are some general database and infrastructure suggestions and recommendations to consider as part of your overall project management.

See Part 1 of these trainings: https://www.tag1consulting.com/owasp-videos-1-5.

The second part of our security trainings include the following vulnerabilities:

Security Misconfiguration (#6)

Many other security vulnerabilities really fit under this category - failing to check your data, code, and so on ultimately is a misconfiguration. This vulnerability generally falls into two categories: accidental misconfiguration, where best practices are not followed, or inherited misconfiguration from a legacy system, configuration management module, or a package that is added to the system. These misconfigurations can be very difficult to find. Audits may have a difficult time finding vulnerabilities that come from third party configurations.

Related content:

Cross-Site Scripting XSS (#7)

Cross-Site Scripting (XSS) or Cross-site request forgery (CSRF) is a type of injection attack where malicious scripts are injected into trusted websites. XSS attacks occur when an attacker embeds malicious code into a web application, usually in the form of a browser side script, and sends it to a different user. Phishing emails are a common vector for XSS attacks.

Related content:

Insecure Deserialization (#8)

While this type of flaw is sometimes hard to create or detect, it poses a very real threat to your website. Insecurely deserialized data can lead to root exploits, such as Drupal core - Highly critical - Remote Code Execution - SA-CORE-2019-003. These types of attacks tend to be fairly limited in scope, but have wide-ranging implications. Ensuring the integrity of if your data and data handling can be key in preventing these attacks.

Related content:

Using Components with Known Vulnerabilities (#9)

Modern web applications have large numbers of dependencies, between Drupal modules, infrastructure, operating systems, and infrastructure, there are multiple attack vectors for known vulnerabilities, This talk discusses how to know if your Drupal installation is up to date, get notified about security updates, and how to check for known vulnerabilities.

Related content:

Insufficient Logging and Monitoring and General Infrastructure and Database Information(#10)

Logging and monitoring are two critical methods of checking for anomalies on your website. Logging is always useful, to help you track changes and find mistakes, as well as spot unusual or unexpected activity. Central management of logs can be critical to ensuring enough data to correlate events. If you’re monitoring your website activity, and logging your data, you have a higher chance of catching a compromised server. This talk discusses ways that logging and monitoring can be used and compromised.

Along with the vulnerabilities discussed previously, these additional topics are important to website security. Audits can prevent pivots - a malicious user taking some minor access, and turning it into a larger access hole. Auditing your systems and ensuring the least access, with internal and external boundaries for each user and system can narrow that pivot window.

Keeping your configuration data in a configuration management system can be critical. Enforcing this on your systems can ensure that they’re consistent with each other, and with what you expect.

External backups and monitoring of your systems ensures stability in the case of a catastrophic failure or major outage.

Third party package managers don’t have many best practices attached to them. Using these managers without additional testing of your deployment process adds significant risk and security issues. Packages may not be vetted. Working in a container environment can help mitigate these risks.

Secure user uploads are another place where your server can be attacked. Many systems require a virus scan, but that only protects end users who are downloading the files. Malware can be included in these files. Maldet is a useful malware scanner.

Adopt an incident response plan. This ensures everyone knows what to do, and what to expect when there’s an incident. An incident response checklist can help your team ensure that records aren’t wiped in the rush to restore a website to service.

Related content:

Tag1 Consulting security services

Tag1 Consulting’s experts can help you prevent and mitigate security problems on your website like the ones discussed here. We provide several services, including: