<p>The list of top web application security vulnerabilities and risks has remained largely unchanged for the past decade, and the attack vectors are well-known to security practitioners and developers alike. Yet these problems persist, despite their solutions being readily available and well-documented.</p>
<p>Those responsible for application development and design, as well as security managers and directors, should reference the following list of common vulnerabilities to prevent risks from becoming an issue. Read on to discover how to identify and counter web app security challenges.</p>
<section class=”section main-article-chapter” data-menu-title=”Access and authentication issues”>
<h2 class=”section-title”><i class=”icon” data-icon=”1″></i>Access and authentication issues</h2>
<p><b>Problem:</b> Web applications authenticate users and establish sessions to keep track of each user’s requests. Failure to protect authentication credentials, access controls and <a href=”https://www.techtarget.com/searchsoftwarequality/definition/session-ID”>session identifiers</a> leaves applications vulnerable to other flaws. For example, an attacker could use stolen credentials to hijack an active session and assume the identity of a legitimate user; deploy malware or keylogging software; or access, modify or delete data.</p>
<p><b>Solution:</b> Conduct <a href=”https://www.techtarget.com/searchsecurity/tip/How-to-conduct-a-secure-code-review”>code reviews</a>, penetration tests and vulnerability scans to identify authentication, access and session management issues.</p>
<p>Adopt a strong identity and access management (<a href=”https://www.techtarget.com/searchsecurity/definition/identity-access-management-IAM-system”>IAM</a>) program that includes best practices such as implementing the principle of least privilege (<a href=”https://www.techtarget.com/searchsecurity/definition/principle-of-least-privilege-POLP”>POLP</a>), applying role-based access control (<a href=”https://www.techtarget.com/searchsecurity/definition/role-based-access-control-RBAC”>RBAC</a>), requiring MFA and adopting zero-trust security. Establish a strong <a href=”https://www.techtarget.com/searchsecurity/tip/How-to-create-a-company-password-policy-with-template”>password policy</a>, limit failed login attempts
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: