Compromises in the application layer are now responsible for 40% of breaches. Two years ago that was 24%. Obviously, time to pay attention to application security. OWASP will give you a running start with their Top 10.
Why use OWASP top 10 vulnerabilities?
Imagine if a dozen of the top cybersecurity experts in the world reviewed your software for security problems. Since application security is generally not well covered in university, college, and bootcamp software courses, it’s likely they would probably find a lot of problems!
Of course, hiring even 1 security expert to review your work is out of reach for a lot of software teams – let alone 12 experts. But you can do the next best thing; you can check out the OWASP Top Ten 2021
What is the OWASP Top 10 list?
The OWASP Top 10 is an important awareness document for web developers and web application security professionals. It represents a broad industrial consensus from cyber security experts about the most critical security risks to web applications.
OWASP Top-10 in-depth
This webinar provides defensive instruction in relation to the OWASP Top Ten to aid developers in authoring secure software. Jim Manico and Julius Musseau covered the OWASP Top-10 (2021 Edition) in-depth:
- A01:2021-Broken Access Control
- A02:2021-Cryptographic Failure
- A03:2021-Injection
- A04:2021-Insecure Design
- A05:2021-Security Misconfiguration
- A06:2021-Vulnerable and Outdated Components
- A07:2021-Identification and Authentication Failures
- A08:2021-Software and Data Integrity Failures
- A09:2021-Security Logging and Monitoring Failure
- A10:2021-Server-Side Request Forgery
About the panelists:
Jim Manico
- Founder, CEO, and Lead Instructor, Manicode Security.
- OWASP Former Global Board Member
- Project Leader of the OWASP ASVS Project
- Project Leader of the OWASP Cheatsheet Series
Julius Musseau
- Co-Founder and CTO, MergeBase
Still interested in learning more? Check other webinars.
Webinar Highlights
#1 – Access Control
It is the top 1 because it is extremely hard to verify, even easy access control designs through automation.
#2 -Cryptographic Failure
“Crypto is like it’s equivalent to like y_ou b_ring an IKEA desk to your house and then because you failed to tighten one of the screws properly, your whole house burns down.”
The important thing that people need to have in mind is Just as the need to do more encryption as we enter the golden app increases the age of security, so does the need to get this right as services are attacked. Therefore, the pressure to perform it right increases.
Tools to help to avoid Cryptofailures:
- Mozilla SSL Configuration Generator
- Google Tink (it is a really powerful well-vetted library java python and objective-c)
- Hardenize
#3 – Injection
It has decreased from number one because we are getting a handle on it; however still epic.
How to deal with it?
If you want to attack, scanners are awesome at finding this problem in code, and they’re awesome at launching attacks through scanners. And the defense is straightforward parameterized queries, super strict validation when you can’t parameterize, and configuring your database using the principle of least privilege.
#4 - Insecure Design
It emphasizes risks associated with design flaws. To promote a proactive security approach, the industry should adopt threat modeling, secure design patterns and principles, and reference architectures.
#5 - Security Misconfiguration
Approximately 90% of applications exhibited some form of misconfiguration. As software becomes more highly configurable, it is not surprising to see this category rise. The former category for XML External Entities (XXE) is now included in this category.
#6 - Vulnerable and Outdated Components
It poses a known issue as it is challenging to test and assess risk. Notably, it is the only category without any Common Vulnerability and Exposures (CVEs) mapped to the included CWEs, but it receives default exploit and impact weights of 5.0.
#7 - Identification and Authentication Failures
It now includes CWEs more closely related to identification failures. Although still an integral part of the Top 10, standardized frameworks have increased its availability and effectiveness.
#8 - Software and Data Integrity Failures
It focuses on the assumption of software updates, critical data, and CI/CD pipeline integrity without proper verification. This category carries one of the highest weighted impacts based on Common Vulnerability and Exposures/Common Vulnerability Scoring System (CVE/CVSS) data.
#9 - Security Logging and Monitoring Failure
This category has been expanded to include more types of failures and is challenging to test. It is not well represented in the CVE/CVSS data, but failures in this category can directly impact visibility, incident alerting, and forensics.
#10 -Server-Side Request Forgery
Although the incidence rate is relatively low, it received above-average testing coverage and ratings for exploit and impact potential. The security community emphasizes the importance of this category, despite the limited data illustrating its significance at present.
