5 common mistakes when building a website/web-application wrt security.
These are the 5 common mistakes we often come across. This should not be seen as a comprehensive list.
1. Not performing authorization. Authentication confirms that you say who you are. Authorization checks if you have access to a specific asset. Examples of this are hidden links which are shown only to one type of user but not to the other, however if they know the URL they can access information.
2. Proper hashing. Having an online invoice which has ?invoice_id=2341 at the end, which allows any user to change the ID to different sequential numbers to access other information. Some hash this to give unique numbers, however this is not enough. You can use rainbow tables to get the actual values, and then generate a new hash. The proper way whenever using hash is to use SALT. This is true for user passwords as well where ideally both application and each user specific SALT combination should be used.
3. Not having a maintenance/update/upgrade plan. Always have a maintenance cycle to update your software for patches, and when needed do a proper full upgrade. This is for OS, OS services, and applications. It's no good having all the security checkboxes ticked if you have an old vulnerable software running.
4. SQL and XSS vulnerable code. While SQL injections are becoming less common with better frameworks, XSS vulnerability is still common. XSS escape the user entered code before displaying. More details available at https://www.sapnasecurity.com/single-post/2019/08/28/sql-and-xss-injection-simplified
5. Security headers, it's fairly simple to set the following headers HSTS, Secure Cookie, HTTPONLY, Restricting Cross Origin. These help prevent common vulnerabilities which hackers tend to exploit.
The above is just a list of 5 we feel are quick and easy to manage. OWASP provide details on the top vulnerabilities along with examples and solutions to fix them. Please refer https://owasp.org/www-project-top-ten/