Over the last several years data breaches have risen considerably. Organizations have become more aware that database security is essential. Database security involves protecting databases and their management system, their web applications, and the data the database contains (Database security, n.d.). It is an organization’s responsibility to ensure its database is protected from external and internal threats. Internet-based attacks are one of the biggest challenges to database security. Cybercriminals are constantly devising new ways to infiltrate databases to steal, delete, or modify data by attacking web applications to get to the organization’s database. The motivation of this research is to find the two topmost critical vulnerabilities so organizations can devise ways to minimize them if not eliminate them.
Problem Statement
All over the world, database security is constantly threatened by cyber-attacks on web applications due to vulnerabilities that cause data breaches resulting in organizations having huge regulation fines and customer lawsuits.
Research Question
What are the top two vulnerabilities in web-based applications that are threats to database security according to OWASPs (Open Web Application Security Project) top 10 for 2021 list, and how can they be minimized?
Professional Significance Statement
OWASP releases a Top 10 list every three or four years showing the top ten critical vulnerabilities to web applications after researching, and analyzing, data submitted by organizations worldwide and then showing organizations what the most critical vulnerabilities are, so they can minimize them.
OWASP is a large credible nonprofit foundation with security professionals worldwide that are constantly improving security for web applications and although it is an online community its headquarters is in Maryland (Who is OWASP?, n.d.). OWASP has reported that over the past four years since their Top 10 list for 2017, there are two vulnerabilities that are at the top of their Top 10 for 2021 list that threaten web applications and they are called broken access control vulnerability and cryptographic failures (OWASP Top 10, n.d.). Although there are many vulnerabilities and threats to databases, this document will focus on the two vulnerabilities listed above. This document will also focus on OWASPs techniques on how they come to the results of their listing the top 10 vulnerabilities, and techniques on how to prevent or minimize them.
OWASP Top 10 List for 2021
The OWASP Top 10 list started as just an awareness document. However, since around 2003 organizations began using it as a guide to make their network more secure. Knowing what the top 10 web application vulnerabilities are help organizations know where to strengthen their network security. According to the OWASP Top 10 for 2021 the following vulnerabilities are listed (OWASP Top 10, n.d.):
- Broken Access Control - this is a vulnerability that allows unauthorized users access into a restricted network.
- Cryptographic Failures - this vulnerability causes sensitive data in application to be exposed due to a non-existing or weak cryptographic algorithm.
- Injection - this vulnerability is when SQL code or scripts are injected into websites in places users would input information such as login credentials, contact forms, or forums where cybercriminals attempt to get data from the database.
- Insecure design - this vulnerability comes from threat modeling not being implemented correctly and lack of security controls.
- Security Misconfiguration - this vulnerability is caused by incorrect or missing application or system configuration settings that result in unauthorized access.
- Vulnerable and Outdated Components - this vulnerability is when components are not upgraded or replaced, and they are not working properly with the rest of the system.
- Identification and Authentication Failures - this vulnerability happens when a user's authenticity and identity fail due to an application failing to implement functions correctly.
- Software and Data Integrity Failures - this vulnerability happens when infrastructure and codes do not protect against integrity violations.
- Security Logging and Monitoring Failures - this vulnerability is when insufficient monitoring and logging of systems impact login failures, system breaches or failures, and incident alerting. Visibility of all of these is important so the organization sees as soon as possible if there is an issue.
- Server-Side Request Forgery - this vulnerability allows cybercriminals to induce a server-side application to make requests and send to an unintended location.
All ten of these vulnerabilities can cause issues and cost organizations money if data breaches happen. However, as the first two are the most critical below is a definition of each. Both vulnerabilities can be devastating to organizations if the proper security controls are not put into place to try to prevent them. Organizations have gone out of business due to some of the Top 10 vulnerabilities being exploited.
Broken Access Control Vulnerability
The broken access control vulnerability was reported by OWASP to be the most serious web application security risk in 2021 and is listed as number one for that year (OWASP Top 10, n.d.). Access control is designed to enforce policies that grant users access to an organization’s network and database. When an access control policy is not properly followed or enforced it can lead to broken access control. This is detrimental to most businesses. Broken access control means that restrictions were not applied properly stating what an authenticated user is allowed to do.
Some of the most common broken access control vulnerabilities are things such as elevation of privileges when a cybercriminal acts like a user gaining admin credentials, principle of least privilege being violated because the database administrator did not set role-based access control giving users access only to the data they need to perform their job duties (Broken access control, n.d.). Cybercriminals can even exploit the broken access control vulnerability by bypassing access control checks because the cybercriminal can modify the URL, HTML page or by using an attack tool. Cybercriminals can even get access to websites another user was logged into by looking at the cache of the browser. If the cybercriminal goes to that website the other user might still be logged in.
Cryptographic Failures
OWASP shows cryptographic failures as the second most critical vulnerability on their Top 10 for 2021 list (OWASP Top 10, n.d.). Cryptographic failures happen when a system allows sensitive data to be accessible to cybercriminals. It can also occur when a security incident enables unlawful/accidental erasure, alteration, destruction, or unwarranted disclosure of information that is sensitive. There are three categories of cryptographic failures named confidentiality breach, availability breach, and integrity breach (Cryptographic failure, 2022). A confidentiality breach is when a third party can access confidential data, or the organization accidentally discloses data. An availability breach is when access to sensitive data is lost or destroyed. An integrity breach is when sensitive data has been altered without authorization and is usually done without intent.
Cryptographic failures occur due to organizations not handling information the way it should be handled. For instance, they leave sensitive data in plain text documents. Organizations must enable HTTPS (Hypertext Transfer Protocol Secure) security and secure the connection via SSL (Secure Sockets Layer) so the website will not be vulnerable (Cryptographic failure, 2022). An insecure database that stores sensitive data can be easily exposed to cybercriminals if the database becomes a victim to SQL or script injections due to weak cryptographic algorithms. This can happen if organizations do not implement salted or hashed password practices or do not practice security in other ways. Passwords can be exposed if organizations do not use strong hashing making it so cybercriminals can read passwords easily during a cryptographic failure.
Research Methodology and Results
OWASP uses data submitted from seven companies using eight databases that include three SaaS (Software as a Service) vendors and four consulting firms to do their research for the Top 10 vulnerabilities list (OWASP Top 10, n.d.). The eight databases contain information on over 500,000 vulnerabilities. The information comes from thousands of applications and hundreds of organizations worldwide. OWASP uses information from a small percentage of community surveys from application security experts, but a big percentage of the research is data-driven.
The data that OWASP uses for research is analyzed and placed into CWE (Common Weakness Enumeration) groups and categories. CWE is known as a community-developed list of hardware and software weakness types (CWE information, n.d.). OWASP groups and categorizes CWEs over three or four years until the Top 10 Vulnerabilities list is due, and then OWASP consolidates the groups and categories, considering the survey results, and places the results into a list which they then publish on their website (OWASP Top 10, n.d.). Organizations see the newly published vulnerability list and take note of the most critical vulnerabilities and secure their networks against those vulnerabilities. Organizations are confident in OWASPs vulnerability list and know that the research was done over the past three or four years and that the vulnerabilities listed are the ones that are the biggest concern.
Vulnerability Remediation and Prevention
Once organizations know the vulnerabilities listed on OWASPs list, the next step is to make sure they are protected against those vulnerabilities. As the two most critical vulnerabilities have been outlined in this document, this next session will concentrate on remedies and preventions for those vulnerabilities. Organizations should first test their system for vulnerabilities putting special attention to the vulnerabilities on the Top 10 list published by OWASP. Depending on the results of the testing, organizations should fix the issues or put controls into place to prevent the vulnerabilities (Kang, 2022).
There are techniques and tools to use to remedy or prevent broken access control. Denying access to the system by default if any resource is not to be shared with the public is something an organization should practice. The resources that are to be shared with the public should have some degree of access permission assigned to them. Internal system users should be set up as role-based access that will only allow them to access data that is necessary for their job (Kang, 2022). An organization should never use only one method of access control, and they need to audit and test their access control regularly to make sure it functions efficiently.
There are also techniques and tools to use to prevent cryptographic failures. Organizations should catalog data with software tools or configurations to keep an eye on all the data they store and perform regular audits to make sure they are in governance compliance (Cryptographic failure, 2022). Organizations should know what risks their stored data might face and set up mitigations to protect the data. Access control policies are crucial to organizations and these policies need to be strictly enforced. Every organization should implement strict cryptology techniques that use proper hashing of passwords and other sensitive data. Organizations should use security tools and software that will block malicious URLs, and any websites that are not using HTTPS with the emphasis on "s" because those websites without the "s" are not secure. Organizations should regularly test their network security to make sure they are in compliance and as secure as possible.
In conclusion, databases are the ultimate target for cybercriminals. If cybercriminals get to an organization’s database and steal sensitive data, they will sell it on the dark web to make money, or they could do other criminal acts with the data. Organizations that suffered a data breach are heavily fined because of regulations and they face possible lawsuits from their customers. These things could cause businesses to go broke and shut down. Database security is vital to organizations.
Implementing security controls throughout the whole system and network is important for businesses to securely store sensitive data. OWASP provides organizations a vulnerability list to help guide organizations in making their system more secure to protect data. Organizations trust OWASP because they have earned a credible reputation over many years. Following the OWASP Top 10 list, organizations can guard their databases against cybercriminals as they are finding new ways every day to exploit systems to get database access. It is important that organizations have the strongest system protection put into place as soon as possible.
References
Broken access control. (n.d.). Broken access control. OWASP. https://owasp.org/Top10/A01_2021-Broken_Access_Control/
Cryptographic failure. (2022, November 1). Cryptographic failure vulnerability: Explanation and examples. Qawerk. https://qawerk.com/blog/cryptographic-failure/
CWE information. (n.d.). CWE information. CWE mitre. https://cwe.mitre.org/
Database security. (n.d.). What is database security? Sumologic. https://www.sumologic.com/blog/what-is-database-security/
Kang, B. (2022, January). Preventing broken access control: The No.1 vulnerability in the OWASP top 10 2021. Synack. https://www.synack.com/blog/preventing-broken-access-control-the-no-1-vulnerability-in-the-owasp-top-10-2021/
OWASP Top 10. (n.d.). OWASP Top 10. OWASP. https://owasp.org/Top10/
Who is OWASP? (n.d.). Who is OWASP? OWASP. https://owasp.org/