Addressing the OWASP Top 10 Application Security Risks with Web Application Isolation: #4 Insecure Design

Author Avatar


Posted on July 27, 2022

Insecure Design is a newer category of risk that debuted in 2021 as #4 on the list of OWASP Top 10 threats. It is a very broad category that covers a range of design flaws that result in missing or ineffective controls. In their introduction of this risk, OWASP stresses that because defects in design cannot be fixed by rigorous implementation, secure development lifecycles are essential when designing new apps.

But here’s the catch: Existing apps may not have been developed with secure development lifecycles in mind. They may have designed-in weaknesses and flaws such as error messages that contain sensitive data and insufficiently protected data or credential storage. Until these apps can be redesigned, securing them is essential.

To illustrate the risk posed by Insecure Design, I subject the fictional Juice Shop that I created on the HyperQube test platform to yet another attack. In this short demo, I manipulate the source code to change session storage values and the tokens that the application uses. Ericom Web Application Isolation (WAI), an innovative cloud-delivered security solution that isolates web/cloud applications and their APIs from cyber-threats, provides controls and policies that can secure apps immediately, as soon as a design flaw is uncovered. In this case, that means blocking session storage data visibility from prying eyes – and itchy trigger fingers.

Check out the demo right here to see how it’s done:

Share this on:

Author Avatar

About Dr. Chase Cunningham

Creator of the Zero Trust eXtended framework and a cybersecurity expert with decades of operational experience in NSA, US Navy, FBI Cyber, and other government mission groups, Chase is responsible for Ericom’s overall strategy and technology alignment. Chase was previously VP and Principal Analyst at Forrester Research; Director of Threat Intelligence for Armor; Director of Cyber Analytics for Decisive Analytics; and Chief Cryptologic Technician, US Navy. He’s author of the Cynja series and Cyber Warfare: Truth, Tactics, and Strategies.

Recent Posts

Air Gapping Your Way to Cyber Safety

Physically air gapping enterprise networks from the web is a great way to protect operations, keep data safe … and squelch productivity. Virtual air gapping is a better approach.

Motion Picture Association Updates Cybersecurity Best Practices

The MPA recently revised its content security best practices to address, among other challenges, the issue of data protection in the cloud computing age.

FTC Issues Cybersecurity Warning for QR Codes

QR codes on ads are a simple way to grab potential customers before they move on. No wonder cybercriminals are using QR codes, too.