<-- home

the top 5 web app issues to look for in 2017

post by:

Most of my blog posts serve as journals of my thoughts. A place for my conscious stream of thoughts to be recorded. I have a theory, I record it, then move on, later I may go back and look and consider my hypothesis. This post represents one of those moments.

I think about the web today, and when I started looking at web applications many years ago from a security perspective. The more I think about what ‘progress’ we have made, the more I also reflect on the amount of work yet to be done. What are we teaching people about building applications and how does application security fit in theirs education? I know, developers want to make things, and the security of their application, while important, may not be one of those things that they are keen to understanding straight away. I feel like I will be saying the same thing after spending a lifetime doing this. Here are my thoughts on what the Top 5 Web Application issues are in 2017.

Top 5 Web App Issues for 2017

  1. Input validation - We build applications that take in data from many sources. Input Validation issues are going to be further increasing with the IoT trend, as machines generate data and applications consume it. We will do not have a good set of patterns how to handle input and generate the appropriate output. If we did, serialization bugs would not be such a big problem. XSS wouldn’t be such an issue plaguing so many applications. One day we will have to update this to include issues with NoSQL Databases and ORM’s. What about Server Side Template Injection?

  2. Authentication - We still have issues with authentication in 2017. Just the other day, Netflix’s Twitter account was hacked, and they still are struggling to stop the attackers from posting tweets.

  3. IoT - The IoT problem will become a larger problem by the fact that many of these devices have processing power that was seen 15 years ago or older. This means that certain things we take for granted like encryption may not be available.

  4. Crypto - A misunderstanding of how to properly implement cryptography will increase. There are a few things that will fuel this. People believe crypto implementations are hard. Documentation needs to be updated but isn’t often updated. Crypto, as an example, is used when trying to protect client-side logic through the use of JavaScript Web Tokens.

  5. SD* - Software Defined Everything, from Networks to Routing, to basic connectivity. While this is something that we need to have, all of these technologies rely on software-driven by some web technology. What this represents is the ultimate chicken-egg issue. We need the network to transmit the web, but now that same web is controlling the foundational transmit layer. If we don’t get a handle on items 1 - 4, how will this affect our basic plumbing?

Am I wrong? Am I right? Let me know in either the discussion below or on social media.

-M

comments powered by Disqus

© . All rights reserved.