Want to avoid a software hack? Watch out for these common mistakes

It seems like every day you hear about a new security incident or breach in the news. Have you ever wondered,

What exactly is it about software that makes it so vulnerable?

It turns out there is a Top 10 List that describes some of the most common security vulnerabilities that hackers often take advantage of in order to conduct their attacks.

The OWASP Top 10 is basically a "here's what not to do if you don't want to get hacked" primer. There are, of course, many ways to breach applications that go beyond the OWASP Top 10, but the list is a pretty good start.

Let's take a look at a few of the past year's major security breaches.

#1. The Equifax breach

Key takeaway: Don't use components with known vulnerabilities.

Equifax applications use a software component called Apache Struts, and information regarding a critical vulnerability in the software was released in March 2017. For whatever reason Equifax did not get around to patching it quickly, and hackers exploited the vulnerability before it could be fixed.

Using Components with Known Vulnerabilities is described in #9 of the OWASP Top 10.

#2. Verizon customer records exposed

Key takeaway: Make sure that all software and infrastructure components are up to date and configured securely.

More than 10 million customer records were discovered on an unprotected cloud storage service being managed by a third party. Sensitive information like phone numbers and account PIN numbers of Verizon customers who called customer service in the six months prior to the breach were stored in log files which were easily accessed by unauthorized users.

Security Misconfiguration is described in #6 of the OWASP Top 10.

#3. InterContinental Hotels Group credit card breach

Key takeaway: Ensure that only legitimate, authorized users can access administration tools.

Hackers installed malicious software at front desks of various hotel locations in the Fall of 2016, resulting in a credit card breach affecting more than 1000 hotels. This attack seemed to be similar to the attacks on point-of-sale systems at Target and Home Depot in 2014, during which hackers were able to access remote administration tools.

Broken Authentication is described in #2 and Broken Access Control is described in #5 of the OWASP Top 10.

The OWASP Top 10 is a must-know for anyone in software development.

Last month, I recorded a course on the OWASP Top 10 for LinkedIn Learning.

In this course, I talk through each of the items at a high level so that you can understand the basic concepts behind each vulnerability and the types of attacks that can occur when they exist.

Learning the OWASP Top 10 with Caroline Wong is now available on LinkedIn Learning and on Lynda.com.

Course Description:

The Open Web Application Security Project (OWASP) was formed to provide the public with the resources to understand and improve software security. The OWASP Top 10 list describes the ten biggest vulnerabilities. In this course, application security expert Caroline Wong provides an overview of the 2017 OWASP Top 10, presenting information about each vulnerability category, its prevalence, and its impact. Though aimed at IT security professionals and developers, anyone who uses web applications will benefit from an understanding of these risks. Duration: 43m 57s

For a limited time, this course will be open to anyone at no cost, whether or not they're a LinkedIn Learning subscriber.