OWASP identifies top 10 website security vulnerabilities
Website owners have had to address a number of widespread threats in recent years as automation tools add scalability to cybercriminal activities. Rather than focus on individual targets and risk invested time being lost, hackers are instead opting to cast much wider nets to identify and exploit security weaknesses. Ars Technica columnist Dan Goodin recently outlined the top 10 website security vulnerabilities from the Open Web Application Security Project.
Implementing effective security solutions can mitigate a significant portion of risk, but Goodin pointed out that many exploits stem from configuration mistakes. As a result, it is important for companies to ensure that SSL certificates are properly installed on their web servers and to evaluate implementations on an ongoing basis. Such an investigation may also yield other efficiencies by identifying underused web applications or out-of-date software that may lack the functionality and security of the latest version.
"But a lack of end-to-end SSL or TLS protection is only one example of insufficient transport layer protection," Goodin wrote. "Browser cookies used for authentication and other sensitive purposes must contain a secure flag. And certificates should never be self-signed or allowed to expire."
In addition to data in transit, companies must take measures to protect stored information. Goodin highlighted the value of encryption, but also warned that many companies fail to protect the entirety of their information. Credit card numbers and personal information as well as users' passwords and other account authentication credentials should be protected. Businesses that lack visibility over how data moves through their IT environments and which applications handle it may need to go through an extensive data management process to improve their security standing.
Collaboration to improve security
One of the challenges facing information security professionals is a matter of scale. The creation of accessible malware tools and crimeware kits means that even non-technical users can exploit weak points in a company's digital ecosystem. As a result, some businesses are pooling cybersecurity expertise to create stronger safeguards. For example, PayPal has spearheaded the creation of several protocols designed to better protect users and organizations against common threats. SC Magazine contributor Karen Epper Hoffman commended the company's efforts, noting that its Domain-based Message Authentication, Reporting & Conformance (DMARC) specification has gained the backing of Microsoft, Google, Yahoo and a number of financial institutions.
PayPal's Andy Steingruebl told the news source that the efforts of single organizations can have some impact, but solving the challenges associated with cybersecurity will likely come from a collaborative effort. He emphasized that organizations must come together to craft best practices and solutions as well as identify and address new threats as they emerge.
Get your SSL certificate today to improve the safeguards protecting your website visitors' data.