Top critical application threats that are most likely to affect applications in production:
Broken Access Control
Broken access control allows threats and users to gain unauthorized access and privileges. Here are the most common issues:
- It enables attackers to gain unauthorized access to user accounts and act as administrators or regular users.
- It provides users with unauthorized privileged functions.
You can remediate this issue by implementing strong access mechanisms that ensure each role is clearly defined with isolated privileges.
Cryptographic Failures
Cryptographic failures (previously referred to as “sensitive data exposure”) occur when data is not properly protected in transit and at rest. It can expose passwords, health records, credit card numbers, and personal data.
This application security risk can lead to non-compliance with data privacy regulations, such as the EU General Data Protection Regulation (GDPR), and financial standards like PCI Data Security Standards (PCI DSS).
Injection (Including XSS, LFI, and SQL Injection)
Injection vulnerabilities enable threat actors to send malicious data to a web application interpreter. It can cause this data to be compiled and executed on the server, SQL injection is a common form of injection.
Insecure Design
Insecure design covers many application weaknesses that occur due to ineffective or missing security controls. Applications that do not have basic security controls capable of against critical threats. While you can fix implementation flaws in applications with secure design, it is not possible to fix insecure design with proper configuration or remediation.
Security Misconfiguration (Including XXE)
Security misconfigurations occur due to a lack of security hardening across the application stack. Here are common security misconfigurations:
- Improperly configuring cloud service permissions
- Leaving unrequired features enabled or installed
- Using default passwords or admin accounts
- XML External Entities (XXE) vulnerabilities
Vulnerable and Outdated Components
Vulnerable and outdated components (previously referred to as “using components with known vulnerabilities”) include any vulnerability resulting from outdated or unsupported software. It can occur when you build or use an application without prior knowledge of its internal components and versions.
Identification and Authentication Failures
Identification and authentication failures (previously referred to as “broken authentication”) include any security problem related to user identities. You can protect against identity attacks and exploits by establishing secure session management and setting up authentication and verification for all identities.
Software and Data Integrity Failures
Software and data integrity failures occur when infrastructure and code are vulnerable to integrity violations. It can occur during software updates, sensitive data modification, and any CI/CD pipeline changes that are not validated. Insecure CI/CD pipelines can result in unauthorized access and lead to supply chain attacks.
Security Logging and Monitoring Failures
Security logging and monitoring failures (previously referred to as “insufficient logging and monitoring”) occur when application weaknesses cannot properly detect and respond to security risks. Logging and monitoring are critical to the detection of breaches. When these mechanisms do not work, it hinders the application’s visibility and compromises alerting and forensics.
Server Side Request Forgery
Server-side request forgery vulnerabilities occur when a web application does not validate a URL inputted by a user before pulling data from a remote resource. It can affect firewall-protected servers and any network access control list that does not validate URLs.
