Addressing the OWASP Top 10 Application Security Risks with Web Application Isolation: #4 Insecure Design

Author Avatar


Posted on July 27, 2022

Insecure Design is a newer category of risk that debuted in 2021 as #4 on the list of OWASP Top 10 threats. It is a very broad category that covers a range of design flaws that result in missing or ineffective controls. In their introduction of this risk, OWASP stresses that because defects in design cannot be fixed by rigorous implementation, secure development lifecycles are essential when designing new apps.

But here’s the catch: Existing apps may not have been developed with secure development lifecycles in mind. They may have designed-in weaknesses and flaws such as error messages that contain sensitive data and insufficiently protected data or credential storage. Until these apps can be redesigned, securing them is essential.

To illustrate the risk posed by Insecure Design, I subject the fictional Juice Shop that I created on the HyperQube test platform to yet another attack. In this short demo, I manipulate the source code to change session storage values and the tokens that the application uses. Ericom Web Application Isolation (WAI), an innovative cloud-delivered security solution that isolates web/cloud applications and their APIs from cyber-threats, provides controls and policies that can secure apps immediately, as soon as a design flaw is uncovered. In this case, that means blocking session storage data visibility from prying eyes – and itchy trigger fingers.

Check out the demo right here to see how it’s done:

Share this on:

Author Avatar

About Dr. Chase Cunningham

Creator of the Zero Trust eXtended framework and a cybersecurity expert with decades of operational experience in NSA, US Navy, FBI Cyber, and other government mission groups, Chase is responsible for Ericom’s overall strategy and technology alignment. Chase was previously VP and Principal Analyst at Forrester Research; Director of Threat Intelligence for Armor; Director of Cyber Analytics for Decisive Analytics; and Chief Cryptologic Technician, US Navy. He’s author of the Cynja series and Cyber Warfare: Truth, Tactics, and Strategies.

Recent Posts

“Operation Duck Hunt” Shuts Down QakBot Botnet

The FBI-led takedown of Qakbot was an operation that involved seven countries. Malware was removed from 700,000 computers. But don’t think all that makes you safe.

How GenAI is Supercharging Zero-Day Cyberattacks

Generative AI empowers its users to work fast, better and more efficiently. Alas, this includes cybercriminals, who are using malicious GenAI platforms to accelerate zero-day exploit creation.

Cybercriminals Disdain the Law, But Find Law Firms Attractive

Cybercriminals love the multiplier effect they get from attacking law firms: Hack in, and they get firm data PLUS juicy confidential client info.