Breaches in software security exploiting vulnerabilities have jumped almost double from the previous year. The defense-in-depth section of this article series is the preferred path to stronger security. These are some of the security and vulnerabilities assessment across specific industries:

1.      Financial Services:  This is one of the most targeted and regulated sectors. Standards like GPDR and PCI-DSS incentivize researchers to flag potential issues which lead to a high number of vulnerability report filings. Since this sector usually has assets that comprise of complex, multi-layered applications that manage PII data, the most prevalent form of vulnerabilities reported are insecure direct object reference vulnerabilities, especially those that involve money transfers and heighten the risk of IDOR exploits when access controls are weak. Incorrect configuration and a high volume of sensitive data handling are the main culprit. The recommendations from security experts, therefore, include proper authorization, avoiding functions that automatically bind a client’s input into variables, objects, or properties, and instead mapping random unique customer-facing identifiers to hidden actual objects on the server side.

2.      Government: The agencies for the Government encounter a much higher rate of XSS vulnerability reports than the industry average, which is likely due to numerous, even legacy and often sprawling web environments with inconsistent security practices, making some more vulnerable than others. The slower pace of updates in the government IT further increases their exposure and risks. The recommendations from security experts are in line with these characteristics and include treating all input as malicious, encoding output that depends on context and implementing a content-security policy to restrict the sources of executable scripts and limiting the potential of XSS attacks.

3.      Telecoms: These organizations manage vast networks with millions of subscribers, both individuals and enterprises and their devices. Improper authentication methods due to misconfigurations and complex infrastructure plagues this sector. Outdated systems and encryption standards affect APIs and UIs. The recommendation from security experts is to use robust and secure authentication methods such as strong passwords, MFA, secure storage, account lockout mechanisms, managing session and authentication tokens by generating random ones, implementing proper session expirations, and avoiding disclosure of sensitive information in API and UI responses, errors, and logs.

4.      Retail and E-commerce: Cybercrime is the primary manifestation of security vulnerabilities in this sector which gets the most information disclosure vulnerabilities reported among all sectors. Due to the vast amounts of sensitive data handling, dynamic websites and applications, and flawed data management practices, the number of end-users affected runs into thousands. The recommendation from security experts is to avoid exposing unnecessary data and ensuring that sensitive data is protected both at rest and in transit. Users and processes must be granted access following the principle of least privilege

5.      Transportation: Many transportation organizations rely on legacy systems developed before modern security practices became widespread. So, they display most of the OWASP top 10 vulnerabilities including improper input validation and SQL injection. The functionalities of booking, navigation, and maintenance are poorly integrated and often with third-party vendors. Therefore, security hardening is inconsistent. The recommendations from security experts are to implement prepared statements in SQL with parameterized queries, validating all user input and implementing web application firewalls to detect and block these injection attacks.

6.      Media and Entertainment:  These organizations encounter the highest number of reports for misconfigurations. Since this industry requires content to be shared and made available worldwide, it relies on CDNs and streaming platforms to distribute this content. Improper security settings and access control compromise their content which is produced at a fast rate. The recommendation from security experts is to implement automated configuration management tools, create standardized patterns across content types, regularly performing security audits, and implementing least-privilege policies.

Reference: Previous articles

#codingexercise: CodingExercise-12-27-2024.docx