OWASP Top 10 2021 Explained

The Complete 2021 OWASP Top 10 List Explained

Compromises in the application layer are now responsible for 40% of breaches. Two years ago that was 24%. Obviously, time to pay attention to application security. OWASP will give you a running start with their Top 10

Why use OWASP top 10 vulnerabilities?

Imagine if a dozen of the top cybersecurity experts in the world reviewed your software for security problems.  Since application security is generally not well covered in university, college, and bootcamp software courses, it’s likely they would probably find a lot of problems! 

Of course, hiring even 1 security expert to review your work is out of reach for a lot of software teams – let alone 12 experts. But you can do the next best thing; you can check out the OWASP Top Ten 2021

What is the OWASP Top 10 list?

The OWASP Top 10 is an important awareness document for web developers and web application security professionals. It represents a broad industrial consensus from cyber security experts about the most critical security risks to web applications.

OWASP Top-10 in-depth

This webinar provides defensive instruction in relation to the OWASP Top Ten to aid developers in authoring secure software. Jim Manico and Julius Musseau covered the OWASP Top-10 (2021 Edition) in-depth:

  • A01:2021-Broken Access Control
  • A02:2021-Cryptographic Failure
  • A03:2021-Injection
  • A04:2021-Insecure Design
  • A05:2021-Security Misconfiguration
  • A06:2021-Vulnerable and Outdated Components
  • A07:2021-Identification and Authentication Failures
  • A08:2021-Software and Data Integrity Failures
  • A09:2021-Security Logging and Monitoring Failure
  • A10:2021-Server-Side Request Forgery

About the panelists:

Jim Manico

Julius Musseau


Still interested in learning more? Check other webinars.

Webinar Highlights

#1 – Access Control

It is the top 1 because it is extremely hard to verify, even easy access control designs through automation.

#2 -Cryptographic Failure

“Crypto is like it’s equivalent to like y_ou b_ring an IKEA desk to your house and then because you failed to tighten one of the screws properly, your whole house burns down.” 

The important thing that people need to have in mind is Just as the need to do more encryption as we enter the golden app increases the age of security, so does the need to get this right as services are attacked. Therefore, the pressure to perform it right increases.

Tools to help to avoid Cryptofailures:

  1. Mozilla SSL Configuration Generator 
  2. Google Tink (it is a really powerful well-vetted library java python and objective-c)
  3. Hardenize 

#3 – Injection

It has decreased from number one because we are getting a handle on it; however still epic.

How to deal with it?

If you want to attack, scanners are awesome at finding this problem in code, and they’re awesome at launching attacks through scanners. And the defense is straightforward parameterized queries, super strict validation when you can’t parameterize, and configuring your database using the principle of least privilege.

#4 - Insecure Design

It emphasizes risks associated with design flaws. To promote a proactive security approach, the industry should adopt threat modeling, secure design patterns and principles, and reference architectures.

#5 - Security Misconfiguration

Approximately 90% of applications exhibited some form of misconfiguration. As software becomes more highly configurable, it is not surprising to see this category rise. The former category for XML External Entities (XXE) is now included in this category.

#6 - Vulnerable and Outdated Components

It poses a known issue as it is challenging to test and assess risk. Notably, it is the only category without any Common Vulnerability and Exposures (CVEs) mapped to the included CWEs, but it receives default exploit and impact weights of 5.0.

#7 - Identification and Authentication Failures

It now includes CWEs more closely related to identification failures. Although still an integral part of the Top 10, standardized frameworks have increased its availability and effectiveness.

#8 - Software and Data Integrity Failures

It focuses on the assumption of software updates, critical data, and CI/CD pipeline integrity without proper verification. This category carries one of the highest weighted impacts based on Common Vulnerability and Exposures/Common Vulnerability Scoring System (CVE/CVSS) data.

#9 - Security Logging and Monitoring Failure

This category has been expanded to include more types of failures and is challenging to test. It is not well represented in the CVE/CVSS data, but failures in this category can directly impact visibility, incident alerting, and forensics.

#10 -Server-Side Request Forgery

Although the incidence rate is relatively low, it received above-average testing coverage and ratings for exploit and impact potential. The security community emphasizes the importance of this category, despite the limited data illustrating its significance at present.

Protect your application OWASP top 10 vulnerabilities

Julius Musseau

About the Author

Julius Musseau

Co-founder & CTO. Senior architect and developer with strong academic background and roots in the open source community. Contributor to a number of important open source projects.