OWASP & WordPress – Improving WordPress Security With OWASP Top 10

WordPress security can be an intimidating subject to those who are new to WordPress, and to having a website. The good news is that compliance and standards such as the OWASP Top 10 list can help businesses get started with WordPress security. This art… Continue reading OWASP & WordPress – Improving WordPress Security With OWASP Top 10

Deserialization Attacks Surge Motivated by Illegal Crypto-mining

Imperva’s research group is constantly monitoring new web application vulnerabilities. In doing so, we’ve noticed at least four major insecure deserialization vulnerabilities that were published in the past year. Our analysis shows that, in… Continue reading Deserialization Attacks Surge Motivated by Illegal Crypto-mining

The State of Web Application Vulnerabilities in 2017

As a web application firewall provider, part of our job at Imperva is constantly monitoring new security vulnerabilities. To do this, we use internal software that collects information from various data sources such as vulnerability databases, newslett… Continue reading The State of Web Application Vulnerabilities in 2017

New OWASP Top 10 includes Apache Struts-type vulns, XXE and poor logging

The latest draft of the Open Web Application Security Project’s list of Top 10 software vulnerabilities, a replacement for the draft that caused such pushback earlier this year, includes three new categories of security flaws. The three new vulnerability categories are: XML External Entity (XXE), the kind of vulnerability that powered the Billion Laughs attack Insecure Deserialization, like the Apache Struts vulnerability that was left unpatched at Equifax, enabling the massive data breach there over the summer Insufficient logging and monitoring The new categories were derived from more than 40 vulnerability datasets submitted in response to an OWASP data call; and from 515 responses to a questionnaire emailed to members of the security community. The top two on the canonical list — injection vulnerabilities, like those found in SQL databases and broken authentication and session management — remain unchanged from the last version, published in 2013. Sensitive data exposure moves up from sixth to […]

The post New OWASP Top 10 includes Apache Struts-type vulns, XXE and poor logging appeared first on Cyberscoop.

Continue reading New OWASP Top 10 includes Apache Struts-type vulns, XXE and poor logging

OWASP postpones publication of Top 10 app vulnerabilities draft

The Open Web Application Security Project (OWASP) has postponed publication of its canonical Top 10 list of web application vulnerabilities this week, saying it needs more time to review the unprecedented amounts of data it’s received. “We have data on 114,000 apps at the moment, but we got a lot of late submissions. That could rise to 120,000 or 130,000,” lead author Andrew van der Stock told CyberScoop. He said the team of volunteers preparing the new draft met over the weekend and agreed to push the scheduled Oct. 9 publication to Oct. 20. “We needed more time to analyze all this new data,” he said. “We still want to give people a month to comment” on the draft after it’s released, van der Stock said, but added the authors were determined to publish the final version before Thanksgiving. “We don’t want it to get lost in the holidays,” he concluded. OWASP is a […]

The post OWASP postpones publication of Top 10 app vulnerabilities draft appeared first on Cyberscoop.

Continue reading OWASP postpones publication of Top 10 app vulnerabilities draft