In addition to OWASP finally updating the Top 10 Web Application Risks, this year Mitre also updated their Top 25 Most Dangerous Software Bugs, also known as the CWE Top 25. One of the interesting things to note about the updated list, is that common vulnerabilities still feature prominently, an indication that we've made little progress in improving the security of our web applications, as has been indicated by other recent studies.
HomeTagRASP Archives - K2io
Tag
Entries Tagged " RASP "
It will be one year since NIST released their final version of SP800-53 Revision 5 on September 23, 2020. As a quick reminder SP800-53 is the document issued by NIST that specifies the Security and Privacy Controls that need to be used by agencies of the Federal government.
The Open Web Application Security Project (OWASP) has released its draft Top 10 Web Application Security Risks 2021 list with a number of changes from the 2017 list (the last time the list was updated). The list has been maintained by OWASP since its release in 2003 with updates every few years.
A new article in Help Net Security covers some interesting new statistics that reflect the inability of current security tools to protect organizations against attacks happening on web applications. The article shares numbers from a study run by ESG.
A new article in SDXcentral talks about why WAFs (Web Application Firewalls) are insufficient protection according to a hacker. The topic of WAFs isn't new to K2 and we've covered their failures in this blog article as well as an article on the dissatisfaction with WAFs in the security community, along with an article about the high levels of maintenance needed for WAFs. If you think it's K2 that's talking all this doom and gloom about WAFs, even Dark Reading ran an article titled: When WAFs go Wrong.
It's been 18 years since OWASP first published their list of Top 10 Web Application Security Risks in 2003. It wouldn't be unreasonable to think it would have been possible to solve web application security problems in that time frame. Yet, attacks continue to happen, and successfully target vulnerabilities in web applications.
Security practitioners are under the constant need to keep up to date and continue their learning, just to keep up with the ever changing tactics of cyber criminals. It's one of the reasons, to keep an eye out for useful books to enhance and broaden our knowledge base. A recent article covered useful application security books available on Amazon. The article covers 4 useful books for application security, and the books cover a wide range of topics from traditional application security to penetration testing and DevOps.
Organizations have seen a dramatic shift towards digital transformation in recent years, driven in part by the COVID-19 pandemic and the work from home phenomenon. Part of that transformation included a shift to an increased use of applications in and across the cloud. Applications store, process and exchange sensitive data belonging to the organization, making application security mission critical. Juniper Networks has made application security a core tenet of the Juniper Experience-First Networking philosophy, first with a partnership and integration with K2’s Workload Protection Platform back in February of 2020 and this week by expanding the Juniper/K2 partnership, by leveraging K2 Cyber Security’s technology as part of Juniper’s launch of Juniper Cloud Workload Protection.
One of the most common issues with security testing of applications is being inundated with vulnerability reports, containing too many vulnerabilities for a typical development team to handle. This includes reports from testing tools like SAST (Static Application Security Testing) and DAST (Dynamic Application Security Testing). The problem isn't just the volume of vulnerabilities, but the difficulty in determining which vulnerabilities are real (as opposed to false positives), which are just informational, which are severe or critical, which actually exist in the application (as opposed to just in a library that's included but not used by the application), and perhaps most importantly which vulnerabilities are actually exploitable.
A recent article in Reportdoor.com started with these words, "Every Company is Now a Software Company." With COVID still causing disruption for every organization, this has truly become a truth for every enterprise. The article focused specifically on the state of web application security, and a report created by Cyentia that reviewed around 100 other security reports to identify how organizations are handling web application security.