There are a number of issues that make security an application hard these days. These issues include the following:
- The rise in sophisticated attacks that are hard to mitigate
- The increase in the rise of 0-day vulnerabilities that have not been patched
- More and more state-sponsored attacks that target multiple vulnerabilities of a system and are usually hard to trace
- An ever-increasing number of devices coming online without proper security in place, making them vulnerable to being used in DDoS attacks
An XSS—or cross-site scripting—attack is when an attacker injects a malicious script inside a trusted website. When the page with the malicious script is loaded, it causes the client system to be compromised by the attacker.
A DoS—or denial of service—attack is used by an attacker to make a service or resource unavailable to its users by flooding the system with superfluous requests, which causes the system to queue up those requests causing a disruption in the service.
The attack can be mitigated through the use of different techniques, implemented at different levels, such as the following:
- Adding a firewall rule to deny traffic from a given untrusted source
- Using services from the cloud security providers, who can analyze the incoming traffic and block it before it reaches the application infrastructure, helping to mitigate the DoS attack
- Configuring the infrastructure to sink the traffic to a node where there is no application running, or by rerouting the traffic to a nonexistent network interface by using DNS rules
There are lot of possible mistakes that can compromise the security of the application, such as the following:
- Using insecure third-party libraries inside an application, which may contain security vulnerabilities
- Not filtering the user-provided input to the application
- Storing security-sensitive data unencrypted inside an application
- Not implementing proper restrictions to control access to the internal infrastructure