Cenzic provides software and SaaS products for Website security
Customer Login   |    Contact   |    Blog    
1-866-4-CENZIC (866-423-6942)   |    Subscribe to the Cenzic Blog Connect with us on Facebook Follow us on Twitter
Home  » Technology  » CIA Research  » Top Vulnerabilities

Top Vulnerabilities

Cenzic advises that, at a very minimum, vulnerabilities assessment of commercial web applications must be conducted in the following areas.

  • SQL Disclosure
  • Forceful Browsing Past Authorization Boundary
  • Insufficient Password Strength
  • Cross-Site Scripting
  • Buffer Overflow
  • Command Injection
  • SQL Parser
  • All Forms Submitted via SSL

OWASP Top 10 Security Vulnerabilities

Organizations must conduct vulnerability assessments to ensure protection against the top security vulnerability from The Open Web Application Security Project (OWASP).

 

Unvalidated Input

Information from Web requests is not validated before being used by a web application.

Broken Access Control

Restrictions on what authenticated users are allowed to do are not properly enforced.

Broken Authentication and Session Mgmt.

Account credentials and session tokens are not properly protected.

Cross-site Scripting (XSS) Flaws

The Web application can be used as a mechanism to transport an attack to an end user's browser.

Buffer Overflows

Web applications pass parameters when they access external systems or the local operation system. If an attacker can embed malicious commands in these parameters, the external system may execute those commands on behalf of the web application.

Improper Error Handling

Error conditions that occur during normal operation are not handled properly and could result in giving detailed system information to a hacker, or crash the server.

Insecure Storage

Web applications frequently use cryptographic functions to protect information and credentials. If not coded properly, it can result in weak protection.

Denial of Service

Attackers can consume web application resources to a point where legitimate users can no longer access or use the application.

Insecure configuration management

Strong server configuration standard is critical to a secure web application. Servers are not secure out of the box and need to be configured for security.

Source: OWASP Web site

 

SANS Top 20

Protect against top security vulnerabilities described by The Open Web Application Security Project (OWASP).

Top Vulnerabilities to Windows Systems

 
  • W1 Internet Information Services (IIS)
  • W2 Microsoft SQL Server (MSSQL)
  • W3 Windows Authentication
  • W4 Internet Explorer (IE)
  • W5 Windows Remote Access Services
  • W6 Microsoft Data Access Components (MDAC)
  • W7 Windows Scripting Host (WSH)
  • W8 Microsoft Outlook and Outlook Express
  • W9 Windows Peer to Peer File Sharing (P2P)
  • W10 Simple Network Management Protocol (SNMP)

Top Vulnerabilities to UNIX Systems

 
  • U1 BIND Domain Name System
  • U2 Remote Procedure Calls (RPC)
  • U3 Apache Web Server
  • U4 General UNIX Authentication Accounts with No Passwords or Weak Passwords
  • U5 Clear Text Services
  • U6 Sendmail
  • U7 Simple Network Management Protocol (SNMP)
  • U8 Secure Shell (SSH)
  • U9 Misconfiguration of Enterprise Services NIS/NFS
  • U10 Open Secure Sockets Layer (SSL)

Compliance Resources

Gramm-Leach-Bliley-Act

  1. www.ftc.gov/privacy/glbact/
  2. banking.senate.gov/conf
  3. www.ftc.gov/privacy/glbact/glbsub1.htm

Sarbanes-Oxley

  1. www.sec.gov
  2. www.sarbanes-oxley-forum.com
  3. www.aicpa.org

HIPAA

  1. aspe.hhs.gov
  2. ecfr.gpoaccess.gov
  3. www.cms.hhs.gov

SB 1386

info.sen.ca.gov

Learn how hackers attack your Website – simply explained
Learn more about Web application security via a product demo
About Us | Products | Solutions | Support | News & Events | Partners | Resources | Legal | Privacy ©2010 Cenzic, Inc. All Rights Reserved.