Cybersecurity has been a rising concern in the last decade. In 2021, researchers have seen 50% more attacks per week on corporate networks compared to 2020, according to Check Point Research. Increasing your organisations’ efforts to implement better security practices is essential, but where do you start?
Since 2003, a non-profit organisation has led the effort to raise awareness of the most common vulnerabilities and issues and common ways to resolve them. We’ll be covering the OWASP top 10 web application security risks in more detail, including why they’re important and what’s included in the updated list.
In 2001, the non-profit organisation Open Web Application Security Project (OWASP) was founded to promote web application security. This was to address the early days of the internet, where application security was an afterthought and was often ignored.
OWASP was one of the first foundations to standardise security when coding, as there had been an increase in malicious attacks on older applications. They became an official non-profit organization in 2004, promising to remain neutral from any businesses or commercial endeavours. Following the foundation of OWASP, the organisation would go on to create their own open-source license and several projects within their community, most notably being the OWASP Top 10.
OWASP releases a standard awareness document known as the OWASP Top Ten every three years. This document lists the OWASP top 10 security risks for web applications and provides statistics on how common they are, as well as general ways to prevent them.
These security risks are ordered by how prevalent they're found in testing and are a mixture of Common Weakness Enumerations (CWE). They may also include several other CWEs. These can be root causes that might amount to several other risks, with a small number of individual symptoms that may be too common to be included in their own category.
OWASP gathers data starting with security specialists at the Open Security Summit and organisations that work with testing and application security. Because they operate entirely transparently, they make this entire process public and show how to submit data on their Project Page.
This category of CWE includes any policies that allow a regular user to act outside of their intended permissions. Examples can include improperly granted access, API’s with missing controls for POST, PUT, and DELETE, as well as CORS misconfiguration to allow API access from unauthorised origins.
Previously known as Sensitive Data Exposure, this category is a more broad category related to cryptography that usually results in the exposure of sensitive information. CWEs include a lack of encryption, poor password protection, and depreciated hash functions being used to protect sensitive data.
Injection vulnerabilities tend to be flaws that allow attackers to send malicious code (also known as hostile data) through an application to a system or other clients connected to a system. This can include exploits such as SQL injections, or user-supplied data that doesn’t get modified by a system before entering an application
OWASP created this new category of CWE for the OWASP Top 10 2021 report, including design and architectural flaws within the development cycle. It’s a fairly broad category that includes several different CWEs, but it’s explicitly unrelated to poor implementation. Instead, it focuses on poor design practices that lack proper security measures, or vulnerabilities that cannot be fixed by even a perfect implementation.
These CWEs are typically due to poor security practices or lack thereof. These issues can include out of date components, security features that are disabled, or errors that return detailed information to users.
Unlike other entries on this list, this category is notoriously challenging to test and assess risks due to how wildly different it can be between two applications. Security vulnerabilities can include unsupported, out of date software and operating systems - or a lack of upgrades when components are updated.
Formerly known as Broken Authentication, this category includes CWEs related to identification failures and authentication issues, as the name implies. Common CWEs can consist of allowing brute force attacks, weak passwords (like “admin” or “Password1”), and poorly encrypted password data stores.
Another new category, Software and Data Integrity Failures can include issues related to CI/CD pipelines and software updates that are automatically updated. These issues can link to automatically updated components or using unsigned data sent to clients without an integrity check.
This category is primarily to help detect and respond to security breaches. A critical vulnerability can go completely undetected whenever there is poor logging or detection. Common CWEs include inserting sensitive information into log files, events that could be audited that do not end up being logged, or logs going completely unchecked.
Server-Side Request Forgery, one of the smaller categories, is new to the 2021 report. These flaws result from web applications that fetch remote resources without validating the user-supplies URL, leading to a request that can bypass firewalls and VPNs. This has risen due to modern web applications’ more complex architecture in recent years, and the rise of cloud services in today’s modern software stacks.
Application security is paramount in today’s world, but it’s challenging for an application to be free from any vulnerability. OWASP’s Top 10 helps bring awareness to the most common and most critical of these weaknesses.
OWASP’s Top 10 has become an industry standard, and can be used as a guideline as well as a battle plan. Developing with these weaknesses in mind leads to a more secure application, and better designed code for the future.
While the OWASP Top 10 doesn’t constantly update annually, they do often work to restructure and combine CWEs into umbrella categories to explain security risks as a whole better. With this restructuring, these new categories were added to the Top 10:
As these categories were consolidated since 2017, there are a few notable changes to the Top 10 list:
OWASP provides a basis for testing web application security known as the Application Security Verification Standard (ASVS) Project. Utilising this resource can help your team establish testing and security controls and covers common vulnerabilities to form a baseline of protection. It also acts as a guideline for future security requirements as an application evolves, leading to a more secure future
Uleska helps security and development teams manage application security at scale by automating and orchestrating their preferred security tools within CI/CD.
With Uleska, teams can confidently start an AppSec program using open-source, commercial, and custom tools and then quickly change, add or scale tools as the technology and business needs evolve. Uleska also brings speed and scale when integrating into development tools, and reporting of metrics and risk.
By bringing security, DevOps and development teams together, we help reduce manual tasks so application security takes less time, cost and can scale, allowing teams to focus resources on the issues and metrics that matter.
You may unsubscribe at any time using the unsubscribe link in the newsletter.