OWASP is an acronym for the Open Web Application Security Project, a non-profit organisation that works to improve the security of web applications. To achieve this, OWASP regularly produces articles, methodologies, documentation, and tools aimed at web application developers and information security professionals – the most renowned of which is the OWASP top 10.
What is the OWASP Top 10?
The OWASP Top 10 is a standard awareness document, designed to help developers and information security professionals improve the security and privacy of the applications they develop and penetration test.
The document gives an overview of the ten most critical security risks to web applications, based on broad industry consensus and data points, such as software and hardware Common Weakness Enumeration (CWE) mapping, the percentage of applications vulnerable to certain CWEs, and their usage in organisations. As well as this, OWASP considers the weighted exploit and average metrics of a vulnerability, using CVSS scores.
What’s changed in the Top 10 for 2021?
OWASP released the first Top 10 in 2003, and the list is typically updated every three to four years. It released the most recent iteration in October 2021. The update features three new categories: insecure design; software and data integrity failures; and server-side request forgery (“SSRF”) attacks.
OWASP has also renamed several categories. This includes the Cross-Site Scripting category which has become the Injection vulnerability category. This includes 33 CWEs and injection types such as SQL and NoSQL. Similarly, the Using Components with Known Vulnerabilities category has become the Vulnerable and Outdated Components category.
Below is an overview of each of the ten categories, beginning with the new additions.
This broad category encompasses several vulnerabilities, which can be categorised as “missing or ineffective controls”. Missing defines an absent control, whilst ineffective describes a control that fails to achieve its purpose. This risk generally stems from the culture and design methodology of an organisation.
This emphasis on design reinforces the DevOps industry’s increased focus on ‘shifting left’, whereby security is embedded into the design and architecture of applications, rather than bolted on at a later stage. In this category, OWASP has also highlighted the importance of threat modelling integration into refinement sessions.
A08:2021-Software and Data Integrity Failures
Software and data integrity failures relate to code and application infrastructure that fails to provide sufficient integrity checks when updating or relying on plugins, libraries, or modules from untrusted sources and repositories. The category covers several potential issues, from deserialization through to software CI/CD pipelines.
The category is an expansion of 2017’s insecure deserialization category, with a broader focus on ensuring application developers and administrators do not make assumptions about software updates, critical data, and CI/CD pipelines without, first, verifying their integrity.
Request Forgery (SSRF)
SSRF flaws are another class of vulnerability that occurs due to poor user input validation. An SSRF occurs when a threat actor can craft a malicious command in their URL that coerces the target application into sending an HTTP request to an unexpected destination of the malicious actor’s choosing.
OWASP chose to include this category based on industry feedback. It noted that there has been a low incident rate for this category and expects it to be converted into a larger category in a future edition of the Top 10.
Previously Cross-Site Scripting, this category has expanded to focus on all injection attacks. These refer to a broad class of attacks, including cross-site scripting and SQL injections, and are a significant cause of risk to web-based applications. This type of vulnerability commonly occurs when a threat actor can exploit poor user input validation or insecure coding practices to inject malicious code or content, which is then executed by the application or webpage.
A06:2021-Vulnerable and Outdated Components
Renamed from Using Components with Known Vulnerabilities, OWASP has expanded the scope of this category – this time to include the vulnerabilities associated with outdated open-source libraries. The new category considers that cyber threats are inherently dynamic. Therefore, running out-of-date components within an application presents a significant cyber risk.
A07:2021-Identification and Authentication Failures
Previously Broken Authentication, this category now includes CWEs that are associated with identification failures. Effective user authentication and session management is vital to prevent authentication related attacks. For example, an application could be vulnerable to brute force password attacks, use weak password controls, or employ poor session management that allows a threat actor to hijack a valid user’s session.
A09:2021-Security Logging and Monitoring Failures
This category has been renamed from Insufficient Logging and expanded to include more types of failures. Logging and monitoring are vital for an enterprise’s ability to detect and respond to an active breach effectively. This category offers guidance to help organisations detect, escalate, and respond to active breaches to mitigate the risk that an active breach is not identified.
Remains the same
A01:2021-Broken Access Controls
Access control policies define and enforce what each user can and cannot access. Access control failure has the most occurrences in OWASP’s dataset, with over 318,000 instances. Access control is only effective when a malicious user cannot manipulate access controls within the application to gain access to data for which they do not have authorisation for or bypass the checks altogether.
Cryptography is the primary means by which sensitive data is protected both in transit and when stored. Too often, data breaches occur because of the mismanagement of cryptographic controls. Cryptographic failures are rarely the fault of a design weakness in the underlying tool. Most often these issues occur due to poor implementation, a process failure, or improper key management.
Employing strong security controls is an integral part of securing web applications. However, strong technical controls fail if misconfigured. This issue is becoming more common, as more applications use highly configurable software, leading to improperly configured permissions and sub-standard security hardening.
The final OWASP Top 10 2021 list is as follows:
OWASP has provided granular guidance for each of the categories, which can be found in the OWASP Top 10 2021 document. The document offers a foundational checklist for a mature application security programme. However, the Top 10 is just that – a list of the top 10 vulnerabilities. Organisations are vulnerable to more weaknesses and must not simply treat the list as a finite checklist.
To create a robust application security programme, organisations must combine the principles of privacy-by-design with rigorous dynamic testing and regular web application penetration tests. You can find out more about penetration tests, and the different types, in our guide to penetration testing.
If you are unsure if your software development methodology encompasses security and privacy by design, we can help. Our consultancy services will establish how well you manage privacy by design into your software development life cycle.