#CyberSecurityPulse: Injection and XSS, the Most Critical Web Application Security Risks

ElevenPaths    5 December, 2017

The Open Web Application Security Project (OWASP) has just updated the top ten list of web app vulnerabilities for the first time since 2013 but not much has actually changed. According to the list the top vulnerability remains injection and cross site scripting (XSS) is still in the top ten despite it plaguing web apps for a decade and a half now. In this sense, Verizon’s Data Breach Investigations Report (DBIR) for 2017 also found that of 1,935 confirmed breaches analysed, some 571 had involved web app attacks, the seriousness of the OWASP list becomes clear.

On the other hand, Black Duck’s 2017 Open Source Security and Risk Analysis (OSSRA) report found open source in 96 percent of the commercial software tested, and known vulnerabilities in two-thirds of those code bases, it’s an inertia that’s proving very costly. Many organizations do not effectively track and manage open source, and as a result are not fully aware of the risks that accompany its use.

Modern risks move quickly, so the days of scanning or penetration testing an application for vulnerabilities once every year or so are long gone. Modern software development requires continuous application security testing across the entire software development lifecycle with the aim of dealing with the enormous volume of vulnerabilities that are found daily.

More information at OWASP

Top Stories

UK Government Launches ‘Cyber Discovery’ Programme to Find Next Generation of Cybersecurity Talent

The Department for Digital, Culture, Media and Sport (DCMS) has today launched its landmark cyber security training programme aimed at young people in school years 10-13. The initiative aims to help plug the UK’s cyber security skills gap by tapping into young and undiscovered talent with the ambition of stimulating and nurturing interest in cyber security as a future career path. Initially students are invited to register and work through a selection tool, CyberStart Assess. Successful students will go onto three challenging and exciting stages which will later include Face to Face camps with industry experts, and three live regional Capture the Flag events where parents and leaders can see the progress made by students. Cyber Discovery is being piloted in year one in England but is expected to expand to other parts of the UK in later years.

More information at Join Cyber Discovery

Bitcoin Gold Warning With Its Windows Wallet

Bitcoin Gold has warned that Anyone who downloaded the Windows Wallet file between November 21, 2017, 09:39 UTC, and November 25, 2017, 22:30 UTC, should not use the file in any way. If the file was used, the computer on which it was used should be addressed with extreme caution, the file should be deleted, the machine should be thoroughly checked for malware and viruses (or wiped clean), and any cryptocurrencies with wallets accessible on that machine should be moved to new wallet addresses immediately.

More information at Bitcoin Gold

Rest of the Week´s News

Facebook Tool Will Let Users View Russian-placed Pages

After taking a pounding for its role in letting Russian bad actors gain influence on social media during the US presidential election, Facebook said it will offer a tool that will let users view the pages and ads created by a Russian troll farm operating under the moniker Internet Research Agency that engages in online influence operations on behalf of the Russian government.

More information at SC Magazine UK

Firefox Will Notify Users Who Visit Sites That Suffered a Data Breach

Firefox browser is going to introduce a new security feature to make the users’ experience online more secure. It will warn users if they visit websites that have experienced data breaches. The news was revealed by the Mozilla developer Nihanth Subramany and it was confirmed by the presence of a recently-released GitHub repo titled “Breach Alerts Prototype”. The developer has teamed with haveibeenpwned.com as data source related for data breaches.

More information at GitHub

Google to Block Third-Party Software From Injecting Code Into Chrome Browser

To improve performance and reduce crashes caused by third-party software on Windows, Google Chrome, by mid-2018, will no longer allow outside applications to run code within its web browser. In this sense, Google announced its plan but there will be some exceptions with Microsoft-signed code, accessibility software, and IME software to inject code into your browsers.

More information at The Hacker News

Further Reading

PayPal Subsidiary Data Breach Hits Up to 1.6 Million Customers

More information at The Hacker News

Cryptocurrency Miners Hidden in Websites Run Even After Users Close the Browser

More information at Security Affairs

Vulnerability in CoinPouch Verge Wallets

More information at Security Affairs

RSA Authentication SDK Affected by Two Critical Vulnerabilities

More information at SecLists

Leave a Reply

Your email address will not be published.