TOP 10 SECURITY CHALLENGES IN WEB TECHNOLOGIES
Web application technology plays a major role in our regular daily activities like social networking, online shopping and transactions, emails, and other web browsing stuffs. Open Web Application Security Project (OWASP) has defined the major critical vulnerabilities that can affect the web technologies like web server, application, and frameworks used to build the application and the server operating system.
Apart from the critical vulnerabilities derived by OWASP, there are various security threats and challenges are posed on web technologies, web application developers and testers.
STATE-SPONSORED ESPIONAGE:
State-sponsored Espionage is one of the critical challenges for the web technology. It highlights the need to protect critical web services and data from political, financial and state-sponsored hackers and threats. Critical web data and services includes the information needed to run the web and network infrastructure as well as the intellectual property used to manage business.
DISTRIBUTED DENIAL OF SERVICE ATTACKS(DDOS):
DDOS attacks became one of the major threat for the internet. Initially DDOS attacks were used to target networks later on the same attacks were used against web technologies to take down web servers and web service providers. DDOS attack against DYN (a DNS service provider company) DNS services is one of the major and worst DDOS attacks with a bandwidth of nearly 1 Tbps of data. This massive attacks shutdown the internet web services in major parts of Europe and African countries, DDOS attacks are carried out by systems and devices compromised by malware or botnets.
CLOUD MIGRATION:
Since the year of 2013, most of the companies and organizations moved their web services in to cloud based infrastructure. Google, Amazon, Microsoft has developed their own cloud services for providing web services in higher demand to the public and private sectors. This migration into virtual shared infrastructures changes how we address information security and risk management. This migration has also created a great challenge as well as a threat vector for web technologies and developers. Cloud based attack vectors are getting evolved and new vulnerabilities and exploits for cloud servers are developed.
PASSWORD MANAGEMENT:
Password management is one of the key challenges not only for web technologies but also for networks and mobile services. Password Management enforces users to create strong user-controlled passwords that are less likely to be broken by any attackers. This educational and administrative challenge requires creative solutions and enforced policies.
SABOTAGE:
Sabotage of critical web technologies and services can affect the infrastructure and ultimately impact corporate and backbone networks. This challenge is so potentially perverse because it combines social engineering with software based tools to provide a complex multi-vectored attack profile to compromise the client of a individual web services ex: g mail, yahoo, Facebook, pay pal etc.
BOTNETS:
The term Botnet refers to group or network of computers and other internet connecting devices that are compromised by a malware (spyware, Trojan etc). Compromised systems are referred as bots and their network is botnet. Botnets became a major threat and attack vector used by attackers for carrying out large scale attacks like DDOS. Attackers compromised around 100,000 IOT devices and used them as a botnet army to attack DYN DNS provider with large scale DDOS attack. Attackers used the botnet called “mirai” to carry out this attack.
INSIDER THREAT:
Insider threat is one of the major threats for any organization providing web services. A dissatisfied employee base provides a vector for insider security events, while the inadvertent injection of malware through removable media or web interconnections can make any employee the origination point for a security violation which could create a loophole or vulnerability in the web service.
MOBILITY:
Management and security of mobile based web technologies like mobile apps that provides web services like email, browsing, social media becomes even more challenging for web technology developers. In an organization, bring-your-own-device trend exasperates this challenge when we look at protecting the critical information needed to manage the organization and the network without sacrificing the privacy of employee’s personal information and activities. Attackers managing to compromise the mobile device of a person can further try to hijack web connections and critical data in that mobile device.
PRIVACY LAWS:
Privacy of the users and their data is a major concern in the whole internet. Keeping users and their data in private and safe manner is a big challenge for any web technology providing organization. Some key examples include encrypting the username and passwords of web service users. If there is a data breach in a specific web service provider, the organization has to make sure that users data should not be compromised or leaked.
CLIENT-SIDE AWARENESS:
Lack of security awareness for the users of web application technology can become a threat to the web service even if the web service is not vulnerable to any attack vector. A web application should enforce strong client side security to overcome this challenge. Some examples include banking sites displaying information about credit card security and phishing pages in bank login page to create user awareness from data loss.
CONCLUSION:
All these challenges will affect how a pen tester and developer treats risk and security of a web applicationtechnology from inside and outside of a network. Security testers and developers should take all this challenges in mind while testing and developing a web application for either private corporate usage or public usage.
The Top 10 Security Challenges highlights the key cyber security risks that business are facing now. Secure your application from the top security challenges with briskInfosec
No comments:
Post a Comment