Weak passwords remain the top vulnerability for web users, according to guidance by technology association TechUK.
TechUK published the guide – entitled Securing Web Applications and Infrastructure – in association with government’s Cyber Crime Reduction Partnership to identify practices to reduce the impact and cost of cyber crime.
The guide reveals the ten most common web vulnerabilities and contains advice on how to defend against the most common threats.
Penetration tests conducted over the past 12 months showed that, despite the emergence of new threats, well-known vulnerabilities are understood by criminals and the most common.
“These threats may not be new, but all still pose a real risk to UK web users,” said Gordon Morrison, director of technology for government at TechUK.
“The good news for businesses and citizens is that there are well-established fixes available to protect against these vulnerabilities and avoid falling victim to cyber crime.”
Web applications provide significant benefit to consumers and businesses, and TechUK expects their importance to grow.
“Software engineers and industry in general have a responsibility to ensure their products are developed in a manner that is as secure as possible,” the guide said.
“This is true even if software is simple or does not deliver a function that is safety critical, like the processing of personal data for example.”
Some of the examples of best practice are drawn from the Top Ten Project of the Open Web Application Security Project (Owasp).
Owasp is a non-profit, volunteer organisation set up in 2001 to make web applications secure by educating users, developers, governments and business leaders.
“It’s good to have any research like this out in public, as it can only help to raise awareness of these issues,” said Justin Clarke, Owasp London Chapter leader and director at Gotham Digital Science.
“And as they’re the most common types of issues found, sometimes they’re also the easiest to remediate, which can only benefit organisations if they look at their own applications and apply best practice before they have a security incident.”
Clarke said it was also good to see that the guide links to some of the volumes of free information resources on the Owasp site – especially the Owasp Cheat Sheet series.
“This series is designed to give a developer or security professional a single document on everything they need to understand and fix common web application vulnerabilities,” he said.
The publication of the TechUK web application guidelines follows the embarrassing hack of the US Central Command’s Twitter and YouTube accounts by a group claiming to back Islamic State.
“Shared privileged accounts, which include social media credentials, are a commonly overlooked threat,” said Andrey Dulkin, senior director of cyber innovation at CyberArk.
“This is compounded by the fact that many enterprises have numerous social media accounts on Twitter, Facebook, YouTube and LinkedIn – often with unique accounts for different product lines, languages, countries and stakeholders.”
Dulkin said that, with passwords for these accounts being shared among teams, it makes for an easy target – not least because there is no record or accountability for each individual post.
“To make matters worse, the same password is frequently used across multiple accounts, and the passwords are often rarely changed,” he said.
Dulkin warned that lax security opens the door for malicious hackers, as well as rogue current or former employees, or disgruntled social media agency members.
Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Related content from ComputerWeekly.com
RELATED CONTENT FROM THE TECHTARGET NETWORK