techUK and the Cyber Crime Reduction Partnership have identified the top ten online vulnerabilities, detailed in a guidance paper entitled ‘Securing Web Applications and Infrastructure’.
Released today, the guidance paper was the result of penetration tests over the last 12 months and advises on how users can protect themselves from the most common threats.
Aiming to reduce the impact and cost of cyber crime, the new guidance showed that the top 10 vulnerabilities are:
1 Account weaknesses, and especially a weak password policy
2 Secure Sockets Layer (SSL) issues
3 Cross site scripting (XSS)
4 Clear test protocol in use
5 No brute force protection
6 Directory listing
7 No ‘clickjacking’ protection
8 Cookies – not marked HTTP only or not marked as secure
9 Host configuration issues, especially firewall issues and IP leakage
10 Information disclosure, and especially user enumeration
Gordon Morrison, Director of Tech for Government at techUK, explains: "These threats may not be new, but all still post a real risk to UK web users. The good news for businesses and citizens is that there are well established fixes available to protect against these vulnerabilities and avoid falling victim to cyber crime."
In addition to identifying the top ten online vulnerabilities, the Guidance also detailed best practise steps users can take in order to minimise risk.
The paper highlighted the PAS 754, Software Trustworthiness – Governance and Management – Specification, which was developed by BSI in consultation with stakeholders. It sets out the processes and procedures which organisations can apply to help them identify and employ trustworthy software. The specification defines the five aspects of software trustworthiness: Safety, reliability, availability, resilience and security.
It describes a widely applicable approach to achieving software trustworthiness, which is based on the following concepts:
– Governance: Before producing or using any software which has a trustworthiness requirement, an appropriate set of governance and management measures shall be set up.
– Risk assessment: The risk assessment process involves considering the set of assets to be protected, the nature of the adversities that may be faced, and the way in which the software may be susceptible to such adversities.
– Control application: Risk shall be managed through the application of appropriate personnel, physical, procedural and technical controls.
– Compliance: A compliance regime shall be set up to ensure that creators and users of software ensure that governance, risk and control decisions have been implemented.