UK technology trade association techUK has teamed up with the Cyber Crime Reduction Partnership to release a new set of guidelines today designed to offer developers advice on how to write more secure applications and infrastructure.
The document draws on penetration tests conducted by PA Consulting to deduce the top ten vulnerabilities found over the past 12 months in customer web apps and infrastructure.
These include: account weaknesses, especially weak passwords; SSL issues such as self-signed certs; cross-site scripting; lack of brute force or clickjacking protection; and host configuration problems, especially firewall issues and IP leakage.
Also listed are cookies not marked as HTTP only or not marked as secure, which could make them easier for attackers to steal; and directory listing vulnerabilities, via which attackers can discover hidden files or the directory structure of a web page.
There is advice on how to avoid all of the top ten vulnerabilities listed, including links to examples of best practice, as well as information on industry standards.
The document, Securing web applications and infrastructure, recommends the BSI-developed PAS 754, Software Trustworthiness – Governance and Management – Specification for improved software engineering practices.
Also mentioned is ISO/IEC 27034-1:2011 technology – Security techniques - Application security to help firms better integrate security into the processes used for managing their apps.
“These threats may not be new, but all still post a real risk to UK web users,” said Gordon Morrison, director of tech for government at techUK, in a statement. “The good news for businesses and citizens is that there are well established fixes available to protect against these vulnerabilities and avoid falling victim to cyber crime.”
Formerly known as Intellect, techUK launched in 2013 with a rebrand and an ambitious plan to create over 500,000 jobs by 2020.
Improving the security of products made in the UK is one of its central aims, alongside boosting the export of domestically produced technology, making better use of the radio spectrum and encouraging the founding of coding clubs in primary schools.