Which option refers specifically to errors in source code resulting in security vulnerabilities

Application weaknesses and software vulnerabilities are consistently the most common external enterprise threat vector targeted by attackers.

Open source issues continue to be a thorn in infosec's side.

Companies still aren't investing in the tools, mechanisms and expertise needed to thwart threats.

These are three of the top findings in Forrester Research's "The State of Application Security, 2020." It's nothing new, however. Web application security challenges date back years, if not decades.

In fact, several items on Open Web Application Security Project's (OWASP) list of the top 10 web application security risks -- including injection flaws, cross-site scripting (XSS) and broken authentication -- were the same in its most recent 2017 version as when it was first released in 2003.

The sad part is these risks -- despite their well-known and well-publicized nature -- will persist until developers, security teams and companies start to take them more seriously.

Do you know how to prevent your company's web apps from falling victim to the barrage of threats they face? From malicious code to vulnerability scanners and penetration testing (pen testing) to buffer overflow, XSS, distributed denial of service (DDoS) and SQL injection attacks, it is critical to know the tools and policies to properly secure applications and keep them safe from nefarious actors.

Take this quiz to determine how knowledgeable you are and whether you need to hone your web application security skills.

Good luck!

This was last published in December 2020

Dig Deeper on Application and platform security

• cross-site scripting (XSS)

  By: Ben Lutkevich

• 5 application security threats and how to prevent them

  By: Katie Donegan

• Data center transformation drives the ADC security use case

  By: Lee Doyle

• What's the best way to prevent XSS attacks?

  By: Charles Shirer

• Home
• Application Security
• Blog

Posted by on Wednesday, August 28, 2019

An application security vulnerability is a security bug, flaw, error, fault, hole, or weakness in software architecture, design, code, or implementation that can be exploited by attackers. Let’s take a closer look at the different types of security vulnerabilities.

What is an application security vulnerability?

An application security vulnerability is “a hole or a weakness in the application, which can be a design flaw or an implementation bug, that allows an attacker to cause harm to the stakeholders of an application,” according to OWASP. These stakeholders include the application owner, application users, and others that rely on the application.

While it doesn’t call them vulnerabilities on the top line, MITRE, which maintains the CWE Top 25 list of common software security weaknesses, uses the term “vulnerability” in defining software weaknesses: “Software weaknesses are flaws, faults, bugs, vulnerabilities, and other errors in software implementation, code, design, or architecture that if left unaddressed could result in systems and networks being vulnerable to attack.”

These are certainly useful definitions to know. But they don’t add anything particularly actionable for software developers on their journey to secure coding. That’s where the security vulnerability lists like OWASP Top 10 Most Critical Web Application Security Risks and the similar but more extensive CWE Top 25 Most Dangerous Software Errors come into play.

These lists lay out the most critical types of security vulnerabilities to keep in mind as you develop software. But some application vulnerabilities warrant more scrutiny and mitigation efforts than others. So let’s take a closer look at the different types of vulnerabilities.

What are the different types of security vulnerabilities?

OWASP is well known for its top 10 list of web application security risks. But the organization’s website also lists dozens of entries grouped into 20 types of security vulnerabilities. Categories include API Abuse, Input Validation Vulnerability, and Session Management Vulnerability. OWASP’s application vulnerability descriptions talk about risk factors, give examples, and cross-link to related attacks, vulnerabilities, and controls.

MITRE and the SANS Institute put together the latest CWE/SANS Top 25 list in 2011. In that list, they categorize three main types of security vulnerabilities based their more extrinsic weaknesses:

• Porous defenses
• Risky resource management
• Insecure interaction between components

Porous defense vulnerabilities

Out of the CWE/SANS Top 25 types of security vulnerabilities, 11 involve porous defenses. Defensive techniques such as encryption, authentication, and authorization, when implemented correctly, are essential to application security. But when they are misused, abused, or otherwise implemented incorrectly—or just ignored—they become application vulnerabilities.

Three of these vulnerabilities point to a basic lack of good housekeeping: Missing Authentication, Missing Authorization, and Missing Encryption. And three others have to do with erroneous or ill-advised use of application defense techniques, including Incorrect Authorization, Incorrect Permission Assignment, and Improper Restriction of Excess Authentication Attempts.

Risky resource management vulnerabilities

Resource management involves creating, using, transferring, and destroying system resources such as memory. Proper, secure management resource is necessary for effective application defense. The types of security vulnerabilities in the CWE/SANS Top 25 category “Risky Resource Management” are related to ways that the software mismanages resources. These application vulnerabilities range from the classic Buffer Overflow and Path Traversal to the more-sci-fi-sounding Inclusion of Functionality from Untrusted Control Sphere and the ominously named Use of Potentially Dangerous Function.

Defending against these application vulnerabilities boils down to two strategies:

1. You must know what inputs you are using and whether they come from known “good” sources.
2. You must use those inputs properly for their intended purposes.

Liberal use of sandboxing and whitelisting can help here, but there are no guarantees. Other options include application security testing and vulnerability assessments to uncover these eight types of security vulnerabilities before something goes wrong.

Vulnerabilities related to insecure interaction between components

The category “Insecure Interaction Between Components” has the fewest members of the CWE/SANS Top 25 software errors. But it also contains the most wanted—make that least wanted—list of security vulnerabilities. It’s a well-known rogues gallery bearing names like SQL Injection, Cross-Site Scripting, and Open Redirect.

What do these types of security vulnerabilities all have in common? They’re all related to how “data is sent and received between separate components, modules, programs, processes, threads, or systems.”

Take a closer look at the anatomy of an application vulnerability

Want a more in-depth look at security vulnerabilities? Our new eBook Anatomy of an Application Weakness takes you through the application vulnerability life cycle.

• Learn where security vulnerabilities come from.
• Observe the struggle developers have with writing more secure code from the outset.
• Consider how to protect against different types of security vulnerabilities.
• Discover the most time-effective training and education solutions for learning secure coding.

Derek Handova

Derek Handova is an enthusiastic white paper writer and content marketer in the B2B and technology spaces. Previously, he has led content creation efforts at prominent companies such as Altera, BearingPoint, Inc., Check Point Software, Harris Corporation, Solectron Corporation, and other Silicon Valley icons.

More from Managing security risks