Every time I do a course about penetration testing or secure coding, the most common question I get from my student is for example, Does SQL injection still work 2021? ...
Web application technology is one of the most popular and rising types of software used by companies in their daily business life. In addition, it is the most exposed surface for the public. In the last decade, most people have started noticing an increase in security threats affecting this technology, which leads them to ask the following question, why are web applications vulnerable?
Web applications could be vulnerable because of one or more of the following reasons:
In this blog post, I am going to explain in detail each one of these reasons while giving real-life examples. So if you are interested in knowing more about this question … just keep reading.
Web applications get attacked because creators make errors that allow attackers to access sensitive data or administrative rights to web applications and servers. Many organizations still not taking security seriously, which is for me the first reason for producing a vulnerable application.
In the process of developing any software, the very first step is the requirement definition. At this step, the development team discusses all the details of what the software would do and which aspects should be implemented in the app.
At this level, the client is the king and he is the one that can force his service provider to use security best practices in the development process and to use trained secure development teams. However, most companies do not use this right and only focus on creating the app’s business functionalities without thinking about the security aspects.
Therefore, this is for me the most important reason that leads to producing vulnerable applications, as a good requirement definition will influence the whole development process.
However, even the software development company shares a part of the responsibility as it should advise the client about this aspect and explain the importance of such things. This could be also beneficial for the development company, as it will help it include security aspect cost (in terms of time and money to implement them) in the whole project cost from the beginning.
The design step is one of the most critical phases in the software development life cycle, as a wrong design will result in a big money loss and buggy app. At this step, most application functionalities and security aspects should be discussed and validated.
For example, the broken access control vulnerabilities can easily be prevented if permissions security aspects are discussed at this level.
Unfortunately, due to the use of recent agile techniques to accelerate the production of new software, the security aspects are in most cases not discussed at this stage. Therefore, leading to some critical architecture-based vulnerabilities that need a lot of time to be fixed.
Training developers about security aspects and common vulnerabilities that can make in their source code are not enough. Humans tend to make errors even while doing tasks that are well mastered like for example driving cars.
Therefore, assisting them while developing source code to not perform errors by installing plugins that continually check vulnerabilities while the developers are coding is becoming necessary.
Moreover, performing an automated source code vulnerability detection scan at the end of the source code writing process is a very important task. This action can drastically reduce the number of vulnerabilities that can be found at the final stages of the development process.
Reducing the number of vulnerabilities at this level of the development process reduces the cost of fixing those vulnerabilities as the vulnerable source code snippet is easily identified in the source code.
Unfortunately, most powerful tools that can perform static code analysis to discover vulnerabilities with a very low false-positive rate are very expensive and not all development companies can afford it. However, many open source tools are available to at least detect some obvious vulnerabilities.
Here is a list of open source code vulnerability scanners:
Penetration testing is the process of testing the application functionalities both manually and automatically while it is running. Penetration testing is very different from a static code source scan and a dynamic application security test. In addition, many types of vulnerabilities cannot be discovered using static or dynamic automated checks as it needs an in-depth comprehension of the business logic.
Therefore, performing a penetration test at the end of the development process helps in reducing many complex vulnerabilities that can lead to phenomenal business loss.
To be honest, this sort of security check is becoming more and more adopted by clients who have ordered apps from their service providers to ensure they have put in place what it takes to secure their applications.
However, many software companies still see this sort of check as a negative judgment of their work. Even if it is totally not the case. A penetration test is performed to help developers make better and secure source code and developers help penetration testers to better understand the app. In other words, they complete each other.
This is the most influencing reason that may push companies to order less secure applications. Unfortunately, cybersecurity is still very expensive and not affordable for all clients. From buying vulnerability scanners to training employees to adopt a new secure development lifecycle to produce safe applications.
And this is what we are trying to fight here in getsecureworld.com. Even low-budget applications deserve to be secured against cyber-attacks, as the security of the whole world depends on its most weak part.
All applications should implement a certain level of security aspect and should be developed with security in mind. Having a low budget to develop an application should not by any means become equivalent to low security or vulnerable application.
Written by: Z. Oualid
I am a Cyber Security Expert, I have worked with many companies around the globe to secure their applications and their networks. I am certified OSCP and OSCE which are the most recognized and hard technical certifications in the industry of cybersecurity. I am also a Certifed Ethical hacker (CEH). I hope you enjoy my articles :).
todayNovember 1, 2022
Blockchain technology was indeed built with security in mind. This means that it is supposed to be very secure compared to other technologies. However, Blockchain technology suffers from some weaknesses [...]