Barely a week goes by without news about another data breach or largescale attack on a popular website. The result of these attacks is devastating to the business as well as the customers involved. Businesses face loss of profits and huge fines under GDPR and other privacy laws. Customers can become targets of identity theft, or attackers can use their credentials to gain access to other services. It’s one of the reasons you should never use the same password on multiple websites.
Worst of all, many of these attacks aren’t the kind of sophisticated advanced persistent threats (APT) you hear about on the news or see in movies. They’re rudimental attacks targeting very well-known vectors like malware, social engineering, and cyber-attacks.
And even though no system is ever 100% safe, there are several approaches you can follow to make your web application more secure.
The Open Web Application Security Project (OWASP) is an international non-profit organisation dedicated to creating awareness about web application security. The OWASP Top 10 consists of the top critical security risks to web applications.
Laravel is a favourite development framework at ID Studio. We’ve used it for years for anything from small business websites to larger fintech and e-commerce platforms. Best of all, Laravel takes care of many of these security features out the box.
At ID Studio, many of our more sensitive projects have been subject to intense penetration testing, in-depth code review and GDPR compliance. We have experience in this domain and can apply that knowledge and expertise to your project.
The section below outlines the OWASP Top 10 security risks and how we protect our Laravel-based web applications against these risks.
SQL (Structured Query Language) is a language used to communicate with databases. Websites can be susceptible to SQL injection attacks if it doesn’t sanitise data or run queries safely. This can allow attackers to delete all of your data, obtain a copy of all your customers (including personally identifiable information, orders, messages, etc.), or insert malicious code that will attempt to install malware onto the devices of everybody visiting your website.
What we do:
Broken authentication allows attackers to breach your system and gain entry by guessing passwords, obtaining credentials from configuration files, or stealing your session tokens.
What we do:
Data breaches are becoming almost a daily occurrence. Some systems simply aren’t protecting sensitive personal, financial and health information as they should. And a breach of this is usually a catastrophic occurrence for a business.
What we do:
XML (Extensible Markup Language) is a text-based markup language that uses tags to identify, organise and store data. XML is used in web services, content management systems and even Microsoft’s XML-based file formats like .docx and .xlsx. Systems that process XML, especially if it’s via a third-party source, could be susceptible to an attack, allowing access to the internal network or causing a DoS (Denial of Service) attack.
What we do:
Broken access controls will allow users to access unauthorised resources. This was the case in a high-profile breach in 2011 where attackers could access the account details for almost all customers by merely changing the identifier in the browser URL once they were logged in.
What we do:
There was a time when it was almost a weekly occurrence that an unsecured AWS (Amazon Web Services) S3 bucket or Elasticsearch server was found containing millions of customer details. It became so prevalent that AWS ended up making S3 uploads private by default, with explicit warnings if you decide to make the data public.
Applications always need to be configured securely and updated frequently to reduce the risk of being exploited.
What we do:
XSS exploits occur when an application allows untrusted data to be displayed without properly escaping any potentially dangerous code. This can allow attackers to hijack customer sessions (and provide the attacker with full access to their account), deface websites, or redirect your customers to malicious sites that attempt to download malware or trick them into revealing their personal details.
What we do:
Data serialisation is the process of converting structured data into a format that can be stored and shared easily. Later, it can be converted back into its original data structure. The exploit comes in when an attacker makes changes to the serialised data. When the system unserialises this data, it can cause exploits like privilege escalation, where a user has a higher authorisation role than they did before.
What we do:
Ensuring your application is protected against things like SQL injection and XSS is only the start. If your application uses libraries with known vulnerabilities, these can be exploited regardless of the defences you have in place.
What we do:
Most breaches on average take more than 200 days before they’re detected. In this time, attackers can breach your system, pivot to other attacks and exfiltrate all your customer data. A crucial part of detecting breaches is by logging and monitoring all activity.
What we do:
At ID Studio, security is at the core of every website we do. If you have a project in mind, or simply want to chat, please feel free to contact us or call our London, Richmond office at 020 3908 4428.