OWASP Top 10
The OWASP Top 10 is a list of the most common vulnerabilities found in web applications. It provides software development and application delivery guidelines on how to protect against these vulnerabilities. The OWASP Top 10 list is not focused on any specific product or application but recommends generic best practices for DevOps around key areas such as role validation and application security. The Kemp LoadMaster contributes to the defense in-depth approach to information security by providing a layer of application security providing:
- Built on an optimized Linux Operating System (OS) with all default ports closed, and all unnecessary services and applications removed. User authentication to the OS is tightly controlled
- Built-in IDS/IPS (intrusion detection and protection)
- Secure and manage your environment with Authentication, Authorization, and Accounting for intelligently controlling access to computer resources, enforcing policies, auditing usage, and providing information necessary to bill for services
- Providing SSL/TLS support including: Decrypt and Re-Encrypt, Full Certificate Management, OCSP and SNI support, Full Cipher Suite management and apply this to both the data plane and access to the LoadMaster
- Fully featured Web Application Firewall (WAF)
The vulnerabilities identified in the OWASP Top 10 are as follows:
| OWASP Vulnerability | Explanation |
|---|---|
| A1. Injection | This is when an attacker sends rogue content to a web application interpreter causing the interpreter to execute authorized commands. |
| A2. Broken Authentication | Incorrect implementation of authentication schemes and session management can allow unauthorized users to assume the identities of valid users. |
| A3. Sensitive Data Exposure | Sensitive data such as financial, healthcare and PII must be protected both in-transit and at rest. |
| A4. XML External Entities (XXE) | This is a vulnerability found in many older XML processors that allow external identity references within XML documents. These external identity references can be used to access internal files and data using a URI handler embedded in an XML file. |
| A5. Broken Access Control | Many applications don’t enforce access control on application resources after a user session has been authenticated. This can lead to vulnerabilities due to poor configuration, which can lead to data being exposed to users who shouldn’t get access. Internal application checks and verifications should be used for all access to sensitive data, and not the assumption that an authenticated session is allowed access. |
| A6. Security Misconfiguration | This is a very wide catch-all section that covers a variety of scenarios, including the application of latest security patches, default enablement of unnecessary features and the use of default accounts to mitigate. |
| A7. Cross-Site Scripting | This is when a browser unknowingly executes scripts to hijack sessions or redirect to a rogue site. |
| A8. Insecure Deserialization | When applications store data they use various methods to serialize a data stream, then write it to files or send it over a network connection. When reading data back, an application deserializes the data coming in to convert it to a format the application needs. Insecure deserialization occurs when an application reads data from an insecure source, or when an attacker has been able to modify an incoming data stream to include malicious code. |
| A9. Using components with known vulnerabilities | Third-party libraries and frameworks used in application development may have known vulnerabilities that compromise the overall application security. |
| A10. Insufficient Logging & Monitoring | Many systems are not monitored well enough and as a result attacks and data losses go undetected for prolonged periods of time. This allows attackers to continue to exploit weaknesses in systems, and possibly use undetected flaws in one application to attack others. |