Understanding Common Security Threats and how to Prevent Them

This article has been updated since it was last published in 2020.

As technology continues to evolve, so do the risks associated with software applications. With the increased prevalence of cyber attacks and data breaches, it’s more important than ever to prioritize application security in software development. In this essay, we will discuss common application security risks and best practices to protect against them.

Learn more about: What is Secure Messaging?

Contents Table

• What are Application Security Threats?
• Most Common Security Threats
  • OWASP Top 10 Application Security Risks
  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF)
  • SQL Injection (SQLi)
  • Brute Force Attack
  • Malware
• Best Practices for Securing Your Software
• SSL-Certificates
• User Access Controls
• Secure Data Storage & Backup
• Secure Development Practices
• Protect Web Traffic
• Operational Security

What are Application Security Threats?

Application security threats are vulnerabilities or weaknesses in software applications that can be exploited by attackers to compromise the confidentiality, integrity, and availability of sensitive information. Application security risks can vary depending on the type and complexity of the application, but there are some common ones.

Learn more about: End-to-End Encryption and its Benefits to your Messenger App

Most Common Security Threats

It is difficult to provide a definitive number of security threats as they are constantly evolving and new ones can emerge at any time. Additionally, security threats can vary depending on the specific context and industry. However, there are some common security threats which we detail below. It is important for individuals and organizations to stay informed about emerging security threats and take proactive measures to protect against them.

OWASP Top 10 Application Security Risks

The Open Web Application Security Project (OWASP), a non-profit organization dedicated to improving software security, maintains a list of the top 10 web application security risks, which is updated periodically. The current list contains the following:

1. Injection vulnerabilities (e.g. SQL, NoSQL, OS)
2. Broken authentication and session management
3. Cross-site scripting (XSS)
4. Broken access control
5. Security misconfiguration
6. Insecure deserialization
7. Insufficient logging and monitoring
8. Cross-site request forgery (CSRF)
9. Using components with known vulnerabilities
10. Server-side request forgery (SSRF)

This list is by no means exhaustive. Let’s look at some of these security vulnerabilities in more detail and provide specific steps that can be taken to prevent them.

Cross-Site Scripting (XSS)

In an XSS attack, an attacker can inject malicious code (usually in the form of a script) into a vulnerable website or application, which can then be executed by unsuspecting users who view the page. This can allow the attacker to steal user credentials, redirect the user to another site, or perform other malicious actions on behalf of the user.

There are three main types of XSS attacks:

1. Reflected XSS: In this type, the malicious script is reflected back to the user via a search field, login form or any input that is not sanitized by the application.
2. Stored XSS: In this type, the malicious script is stored on the server, and every user who accesses that particular page will be affected by it.
3. DOM-based XSS: In this type, the vulnerability is in the client-side code and the attack payload is reflected by the browser’s DOM.

How to prevent Cross-Site Scripting (XSS) Attacks?

• Always validate and sanitize user input before processing or displaying it in your application. This can help prevent malicious code from being injected into your application.
• Encode all user-supplied data when displaying it in your application to prevent the execution of malicious code. Use proper encoding methods based on the context of the output.
• Use HTTP-only cookies to prevent attackers from stealing session cookies using malicious scripts.
• Implement a content security policy (CSP) to restrict the types of content that can be executed on your website.
• Limit the privileges of users who can input data and display them in the application.
• Keep all software, including web browsers, server-side frameworks, and third-party libraries, up-to-date with the latest security patches.

Cross-Site Request Forgery (CSRF)

CSRF is a type of web application vulnerability that allows an attacker to perform unwanted actions on behalf of an authenticated user without their knowledge or consent.

It works by tricking the victim into clicking on a malicious link or visiting a malicious website while they are authenticated on a legitimate website. The attacker’s website then sends a request to the legitimate website on the victim’s behalf, using the victim’s session cookie or other authentication credentials, and performs an action that the victim did not intend to perform.

For example, if a victim is logged into their bank’s website and then visits a malicious website, the attacker’s website could generate a hidden form that, when submitted, transfers money out of the victim’s account. Since the request is sent from the victim’s browser with their authentication credentials, the bank’s website will process the request as if it came from the legitimate user.

How to prevent Cross-Site Request Forgery (CSRF) Attacks?

• Add a unique token to each form submission that is tied to the user’s session. This token can then be checked on the server side to ensure that the request came from an authorized source.
• Verify that the request originated from a page on the same website by checking the HTTP Referer header. This can help prevent CSRF attacks that originate from other domains.
• Set the SameSite cookie attribute to “Strict” or “Lax” to prevent cross-site requests from being sent with the user’s cookies.
• Establish a Content Security Policy (CSP) that specifies which sources of content are allowed to be loaded by a web page. By restricting the sources of content that can be loaded, a CSP can help prevent CSRF attacks by blocking requests to malicious websites.
• Require users to provide additional authentication factors, such as a one-time password, before allowing sensitive actions to be performed.
• Train users to be cautious about clicking on links or downloading files from untrusted sources, and to log out of websites when they are not actively using them.

SQL Injection (SQLi)

SQLi is a type of web application security vulnerability that allows an attacker to inject malicious SQL code into a web application’s database. This can happen when a web application fails to properly sanitize user input before passing it to an SQL query.

Attackers can exploit SQL injection vulnerabilities to steal sensitive data, modify or delete data, or even take control of the affected system. Common targets include login forms, search fields, and other forms that accept user input.

How to prevent SQL injection attacks?

• Instead of concatenating user input directly into an SQL query, use parameterized queries or prepared statements to ensure that user input is properly sanitized. Parameterized queries allow the application to define placeholders for user input, while prepared statements allow the application to prepare an SQL statement with placeholders before binding user input to those placeholders.
• Validate user input to ensure that it conforms to the expected format and type. For example, if a field is supposed to contain an email address, validate that it is a valid email address before passing it to the database.
• Sanitize user input by removing any characters or symbols that are not needed for the intended purpose. For example, if a field is supposed to contain a numeric value, remove any non-numeric characters before passing it to the database.
• Ensure that database users have only the permissions they need to perform their intended tasks. For example, a user that only needs to read data should not be granted write or delete permissions.
• Use input and output encoding techniques to protect against attacks that involve manipulating user input or output. For example, HTML encoding can be used to prevent cross-site scripting (XSS) attacks.
• Deploy a web application firewall (WAF) to protect against SQL injection attacks. A WAF can monitor incoming requests and block any requests that contain malicious SQL code.

Brute Force Attack

A brute force attack is a type of cyberattack where an attacker tries to gain unauthorized access to a system by guessing the correct username and password through a trial-and-error approach. In a brute force attack, the attacker uses automated software that systematically tries different combinations of usernames and passwords until the correct one is found.

Brute force attacks are most commonly used to target login pages on web applications, but they can also be used to crack encryption keys, wireless network passwords, and other types of authentication mechanisms.

The success of a brute force attack depends on the strength and complexity of the password. If the password is weak and easily guessable, the attack can be successful in a short amount of time. However, if the password is strong and complex, the attack may take a very long time or be impossible to succeed.

How to prevent Brute Force Attacks?

• Implement account lockout policies so that after a certain number of failed login attempts, the user account is locked for a specific amount of time or until it is manually unlocked. This makes it difficult for attackers to use automated tools to guess passwords.
• Encourage users to choose strong passwords that are at least 8-12 characters long and include a mix of uppercase and lowercase letters, numbers, and symbols. Discourage the use of easily guessable passwords such as “password”, “123456”, or “qwerty”.
• Implement two-factor or multi-factor authentication, which requires users to provide an additional factor of authentication, such as a one-time password or biometric verification, in addition to their password. This makes it much more difficult for attackers to gain unauthorized access to the system, even if they guess the password correctly.
• Use a CAPTCHA, a challenge-response system that requires users to complete a task that is easy for humans but difficult for automated tools, such as identifying distorted text or clicking on specific images. This can help prevent automated tools from making too many login attempts.
• Regularly monitor logs for suspicious activity, such as multiple failed login attempts from the same IP address. This can help identify and prevent brute force attacks before they are successful.

Malware

Malware is a type of malicious software designed to harm or disrupt computer systems, networks, or devices. Malware can take many forms, including viruses, worms, trojans, spyware, adware, and ransomware.

Malware can be spread through various methods, such as email attachments, infected websites, file-sharing networks, or malicious software downloads. Once installed on a system, malware can perform a variety of malicious actions, such as stealing personal information, monitoring user activity, disrupting system operations, or taking control of the system.

What are some common types of malware?

• A virus is a type of malware that infects files and software programs, and can spread to other systems through infected files or email attachments.
• A worm is a self-replicating type of malware that spreads rapidly through networks and can consume a large amount of system resources.
• A trojan is a type of malware that disguises itself as legitimate software, but once installed on a system, it can give attackers unauthorized access to the system.
• Spyware is a type of malware that is designed to secretly monitor a user’s activity, such as tracking web browsing history or capturing keystrokes.
• Adware is a type of malware that displays unwanted advertisements on a user’s computer.
• Ransomware is a type of malware that encrypts a user’s files or locks them out of their system, and demands a ransom payment in exchange for restoring access.

How to prevent Malware Infections?

• Install reputable antivirus and anti-malware software on your device and keep it updated. This software can detect and remove malware and other threats before they cause harm to your system.
• Make sure to regularly update your operating system and software with the latest security patches, as these updates often include fixes for vulnerabilities that can be exploited by malware.
• Use strong and unique passwords for all your online accounts and avoid using the same password for multiple accounts. This can prevent attackers from accessing your accounts even if they manage to install malware on your device.
• A firewall is a security tool that can help prevent unauthorized access to your device or network. Make sure to enable the firewall on your device or router and keep it updated.
• Avoid opening email attachments or downloading software from untrusted sources. Even legitimate-looking emails or websites can contain malware.
• Most web browsers have a built-in pop-up blocker that can prevent malicious pop-ups from appearing. Make sure to enable the pop-up blocker in your browser to prevent unwanted pop-ups.
• Regularly backup your important data to an external hard drive or cloud storage. This can help you recover your data in case of a malware infection or other data loss.
• Be cautious when browsing the web, clicking on links, or downloading software. Use common sense and if something seems suspicious, don’t download or click on it.

Learn more about: 10 Most Secure Messaging Apps – Chat App Features & Detailed Comparison

Best Practices for Securing Your Software

Despite the presence of several serious security threats, developers can take proactive steps to mitigate against these risks. By following a variety of best practices, developers can reduce the likelihood of security breaches, data loss, and other security incidents. This, in turn, can help to maintain the trust of customers and stakeholders, and enhance the reputation of the organization. Organizations like healthcare and fintech that are governed by regulatory bodies or laws, are required to implement certain security features.

Here’s a roundup of 6 best practices for securing your software.

SSL-Certificates

SSL (Secure Sockets Layer) certificates establish a secure, encrypted connection between a web server and a user’s browser, ensuring that sensitive data transmitted over the connection cannot be intercepted or tampered with by unauthorized parties. This helps to protect sensitive data, such as login credentials, credit card information, and other personal information, from being stolen or compromised. SSL certificates also help to authenticate the identity of the website, providing assurance to users that they are communicating with a trusted website and not an imposter or fraudulent website.

User Access Controls

Access controls, which involve implementing policies and procedures to limit access to sensitive data and systems, are a critical component of a comprehensive security strategy for any organization. Access controls help to ensure that only authorized personnel can access sensitive data, systems, and applications, while unauthorized individuals are prevented from accessing them. Many regulatory frameworks, such as HIPAA, PCI-DSS, and GDPR, require organizations to implement access controls to protect sensitive data. By implementing access controls, organizations can ensure compliance with these frameworks and avoid costly fines and penalties.

Some effective user controls include:

• Use secure API authentication tokens that are valid for a limited time.
• Use one-time login links instead of passwords and limit login attempts.
• Use SSH key authentication.
• Encrypt and hash all passwords.
• Set security rules for passwords.
• Introduce multi-factor authentication.

Secure Data Storage & Backup

Secure data storage refers to the methods and technologies used to safely store and manage data, while data backup refers to the process of creating and maintaining copies of data to ensure that it is not lost in the event of a system failure, data corruption, or other unexpected events.

Some effective data storage practices include:

• It’s safer to store in cloud storage rather than on your local device.
• Establish clear data retention policies to determine how long data should be kept and when it should be deleted.
• Regular data backups are important for ensuring that critical data is not lost in the event of a cyber attack.
• Backup data should be stored in a secure location separate from the primary data storage to prevent them from being compromised.
• Ensure that your app or web browser has an encrypted connection before downloading or uploading sensitive data.

Learn more about: Recent trends in data protection and what they mean for your messenger app

Secure Development Practices

Secure development practices refer to the set of processes, techniques, and tools used to develop software with security in mind. These practices aim to identify and address potential security vulnerabilities throughout the software development lifecycle, from design to deployment.

By implementing secure development practices, organizations can ensure that software applications are developed with security in mind, reducing the risk of security vulnerabilities and data breaches. It is important to note that secure development practices are not a one-time activity, but rather an ongoing process that should be integrated into the software development lifecycle to ensure that security is considered throughout the lifecycle of the application.

Some effective secure development practices include:

• Threat modeling is the process of identifying potential security threats and vulnerabilities in the software application.
• Secure coding practices involve writing code that is resistant to security vulnerabilities.
• Code review is the process of reviewing code for potential security vulnerabilities.
• Penetration testing involves simulating an attack on an application to identify potential vulnerabilities.
• Secure deployment practices involve ensuring that the application is deployed in a secure environment and that security controls, such as firewalls and intrusion detection systems, are in place to protect the application from attacks.

Learn more about: Announcing QuickBlox SOC 2 Compliance!

Protect Web Traffic

Web traffic is the data exchanged between a user’s browser and a web application or server. Protecting web traffic is crucial to prevent attackers from intercepting or modifying sensitive data exchanged over the web, such as usernames, passwords, credit card details, and personal information. It is important to use industry-standard security protocols to cut the risk of attacks. Protecting web traffic involves using firewalls and intrusion detection systems to prevent attacks.

Some best web traffic protection practices include:

• Configure server-side validation of the client-side data input. Do not put user content into responses.
• Use Web application firewalls (WAF) to filter incoming traffic to detect and block malicious requests.
• Verify all SQL statements. If a suspicious script has passed into the application, API, or database, it should be rendered as a text, not a script.
• Use SSL encryption to protect the data in rest and in transit.
• Follow DDOS-protection practices.
• Use VPNs and private networking when possible.

Learn more about: Is Telegram Secure? What it takes to build a secure messaging app

Operational Security

Operational security involves implementing a range of policies, procedures, and controls to protect an organization’s systems, applications, and data from threats and to ensure the efficient and secure operation of its infrastructure. By implementing effective operational security practices, organizations can minimize the risks of security breaches, data loss, and system downtime.

If you are building an app and relying on a third party for their software, then you might also want to ensure that they follow sound operational security. In particular you may want to ensure they are SOC2 compliant. SOC2, or Service Organization Control 2, is a type of audit report that provides an independent assessment of a service provider’s internal controls and security practices. SOC2 helps organizations demonstrate their commitment to operational security by providing an independent assessment of their controls and security practices.

Learn more about: Why GDPR makes secure messaging apps a business necessity

Conclusion

Securing software against common security threats is critical in today’s digital world. From cyber attacks to data breaches, the risks posed to organizations are many and varied. However, by taking a proactive approach to software security and adopting a security-first mindset, organizations can help to prevent security incidents before they occur, protecting their valuable data and systems from harm.

QuickBlox provides top security features for their communication software. If you’re planning to build a secure messaging app, or to add chat or video functionality to an existing platform, talk to QuickBox. Serving customers in healthcare and fintech, with high security concerns and compliance needs, we implement the best in software security. Find out more today.