If your business is like many others that we serve, you use Software as a Service (SaaS) from the Cloud. Cloud computing brings data storage solutions and economies of scale to small business owners because it offers the ability to store and process data with third-party vendors. We love the convenience. We love the way the Cloud keeps our businesses connected with the world.
Unfortunately, as our applications become more connected (as opposed to residing on stand-alone machines), the chances increase that an attacker will bury something malicious inside data intended for decoding farther down the line and that will then affect your system.
As the Cloud continues its steep growth curve, we thought now might be a good time to revisit the top ten security risks for businesses using SaaS as identified by The Open Web Application Security Project (OWASP) in 2013.
1. Injection flaws. Attackers can manipulate programs such as SQL, OS, and LDAP by sending malicious data in a command or query. The attacker’s infiltrating data tricks the program into carrying out commands or granting access to your data without authorization.
2. Incorrect Authentication. If your system does not complete authentication and manage sessions appropriately, you are taking the chance that unsavory characters will use your passwords and other security keys to assume your business’s identities.
3. Cross-Site Scripting. Such flaws happen when an application sends hostile data to a browser without validation or coding in place to escape the scripting. Cross-Site Scripting allows attackers to hijack your internet session or vandalize your web site or automatically send you to malicious sites.
4. Direct Object Reference. This term means that a developer exposed a file, directory or database key. Without some sort of protection, like an access control inspection, attackers can use these references to access your data.
5. Insecure Configuration. Your security is only as good as your secure configurations and that includes your applications and all servers. Update all secure settings and avoid default settings. And, of course, keep software updated.
6. Insecure Sensitive data. Many web applications don’t secure your credit card, tax IDs and other authentication credentials; then, you are vulnerable to attacks to steal or change your data. You may experience credit card fraud or identity theft. Leave weak protections behind. Require encryption for your sensitive data at all times.
7. Missing Function Level Access Control. Web applications must perform access control checks on the server when a user accesses each function. Without verification controls, attackers are free to fake requests and gain access without authentication.
8. Cross-Site Request Forgeries. In this attack, a hacker forces a user’s browser to send a faked HTTP request to an unprotected or weakly protected web application. When the hacker forces more requests, the application thinks the request is from the victim.
9. Vulnerable Components. Some system components, such as libraries and some software modules, have broad access within the system. If attacked, these components can undermine application defenses and you can suffer huge data losses. Attackers may also use them to further more attacks.
10. Redirects and Forwards Not Validated. Many web applications redirect and forward users to other pages and other websites. Often, the applications do not validate the data they use to find those destination pages. This permits malicious entities to redirect your site visitors to phishing or other malware sites, or they can permit forwards to access unauthorized pages.
Your safety on the web is important to us. We take our web hosting responsibilities seriously. We do everything possible to keep our servers from being vulnerable. We want your business safe when using SaaS from the Cloud. Only you know or can discover the vulnerabilities of your own IT system.
We offer the foregoing review of security issues to raise your awareness of your system’s potential vulnerabilities and security weaknesses.
We stand ready to answer any questions you may have about our web hosting or the SaaS software that we host.