dc.description.abstract | New apps and web services are increasingly serving our everyday needs, and they are appearing at high speed. How secure are all these services?
This thesis has tested the security of five web services developed by startups. The startups were interviewed, and penetration testing based on OWASP top ten were conducted.
The results show that none of the companies were using a systematic approach when working with security. Two out of the five companies were familiar with OWASP and had done some arbitrary measures to prevent these. The three other companies seemed very little concerned about security and had the point of view that security was to be implemented once the service was functioning and steady.
Testing show that the three companies not concerned about security, all had serious security flaws. For the two companies actively working with security, although some security flaws were found, these were fewer and less serious. In general, the companies were more successful in avoiding implementation flaws, such as SQL injection and XSS, while architectural security holes were more common. SQL injection and XSS were also more widely known among the startups than the other OWASP top ten vulnerabilities.
Third party code played a huge part in securing all the applications. Still some of the companies failed by trusting this third-party code too much and by not considering security as an overall solution. Any company handling sensitive information about customers have the responsibility to make sure that the information is handled securely throughout the application and ensure full coverage. | |