This document summarizes the results of a security assessment of an educational application. It identifies several high and medium risk vulnerabilities found, including cross-site request forgery, cross-site scripting, weak password requirements, and improper access control. It discusses approaches taken to remediate vulnerabilities like using automated tools and fixes by the development team. It provides recommendations around prioritizing fixes, using web application firewalls as a fast fix, and ensuring security is an ongoing process rather than a single event.
6. • All application security tool vendors’ claims put
together cover only 45% of the known vulnerability
types (over 600 in CWE).
• They also found very little overlap between tools, so
to get 45% you need them all (assuming their
claims are true)
MITRE Claims
8. Risk Vulnerability
Critical CROSS-SITE REQUEST FORGERY (CSRF)
CROSS-SITE SCRIPTING (STORED)
High SESSION TOKEN DOES NOT CHANGE AFTER LOGIN
Medium USERLOGINID ENUMERATION
WEAK PASSWORD REQUIREMENTS
NO LOGOUT FUNCTION IMPLEMENTED
ACCOUNT ENUMERATION
IMPROPER ACCESS CONTROL
STUDENT CAN REVEAL TEACHERS LOGIN FROM SERVER RESPONSE
Low
ERROR MESSAGES REVEAL SENSITIVE INFORMATION
INTERNAL IP ADDRESS DISCLOSURE
INSUFFICIENT PASSWORD HISTORY MANAGEMENT
Remediation Status
PARTIALLY FIXED
NEED IMPROVEMENT
FIXED
FIXED
FIXED
FIXED
FIXED
FIXED
NOT FIXED
FIXED
FIXED
FIXED
Security Test Results
15. Ensure that root cause analysis is used
Remove as many vulnerabilities of this type as is possible within
the prescribed time frame or budget
Involve Security Expert
Recommendations
16. Use Fast Fix Methods - WAFs
A security solution on the
web application level which
does not depend on the
application itself