The alarming escalation to 40% of data breaches originating from application layer vulnerabilities represents not just a statistic, but a clarion call to the industry. This figure marks a significant increase from the 24% reported merely two years prior, underscoring an urgent need for a strategic focus on application security.
Obviously, it is time to pay attention to application security.
The Open Web Application Security Project (OWASP) will give you a running start with their OWASP Top 10. This list is more than a set of guidelines; it’s a strategic tool for web developers and security professionals, spotlighting the most critical security risks in web applications.
What is the OWASP Top 10 list?
The OWASP Top 10 is a pivotal awareness document for web developers and professionals engaged in web application security. It represents a consensus view from experts in the field regarding the most pressing security risks associated with web applications.
By addressing these vulnerabilities, developers can significantly enhance their applications’ security, reduce the risk of data breaches, and protect sensitive information from malicious actors.
The Method Behind the 2021 Edition
The 2021 edition of the OWASP Top 10 is a blend of data-driven insights and expert opinions. It’s a testament to the evolving nature of web security, balancing historical data with current trends and frontline experiences.
Why use OWASP top 10 vulnerabilities?
Imagine if a dozen of the top cybersecurity experts in the world reviewed your software for security problems. Since application security is generally not well covered in university, college, and bootcamp software courses, it’s likely they would probably find a lot of problems!
Of course, hiring even a single security expert to review your work is out of reach for a lot of software teams – let alone 12 experts. But you can do the next best thing; you can check out the OWASP Top Ten 2021.
A Closer Look at the OWASP Top-10 (2021 Edition)
The OWASP Top-10 (2021 Edition) comprises a list of ten critical security vulnerabilities that developers should be acutely aware of when designing, developing, and maintaining web applications.
Let’s take a deeper dive into each of these vulnerabilities to understand their significance:
- A01:2021-Broken Access Control
- A02:2021-Cryptographic Failure
- A03:2021-Injection
- A04:2021-Insecure Design
- A05:2021-Security Misconfiguration
- A06:2021-Vulnerable and Outdated Components
- A07:2021-Identification and Authentication Failures
- A08:2021-Software and Data Integrity Failures
- A09:2021-Security Logging and Monitoring Failure
- A10:2021-Server-Side Request Forgery
#1 – Broken Access Control
Broken Access Control vulnerabilities are justifiably considered the most critical security issue, given their complexity and the difficulty in effective verification. Even the most carefully considered access control systems can inadvertently become a conduit for significant security threats.
The data indicates that an average of 3.81% of applications tested had one or more related Common Weakness Enumerations (CWEs), with over 318,000 occurrences. This category encompasses 34 CWEs, more than any other category.
These weaknesses are notoriously challenging to detect, especially by automated processes, thus presenting an attractive target for nefarious actors.
#2 -Cryptographic Failure
“Cryptographic failures is like it’s equivalent to like you bring an IKEA desk to your house and then because you failed to tighten one of the screws properly, your whole house burns down.”
Moving up the list, Cryptographic Failures, formerly known as Sensitive Data Exposure, can be analogized to the catastrophic consequences of a minor oversight in furniture assembly leading to a devastating house fire. As we progress into a new era of digital security, the necessity for encryption intensifies, along with the imperative to execute it flawlessly under increasing threats to services.
To prevent cryptographic failures, consider using tools such as:
- Mozilla SSL Configuration Generator
- Google Tink (it is a really powerful, well-vetted library java, python, and OBJ-C)
- Hardenize
#3 – Injection
Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
While the prevalence of injection attacks has decreased in recent years, they still pose a significant threat. Scanners are highly effective at detecting injection vulnerabilities in code and launching attacks.
How to deal with it?
If you want to attack, scanners are awesome at finding this problem in code, and they’re awesome at launching attacks through scanners. And the defense is straightforward parameterized queries, super strict validation when you can’t parameterize, and configuring your database using the principle of least privilege.
#4 - Insecure Design
Insecure Design highlights the perils inherent in flawed application architecture. The industry is encouraged to integrate threat modeling, establish secure design patterns and principles, and utilize reference architectures to address security concerns at the design phase proactively.
#5 - Security Misconfiguration
Security Misconfiguration manifests in a striking majority of applications, with an estimated 90% affected. This category has seen a rise in prevalence as software becomes more highly configurable. Security misconfigurations can lead to serious vulnerabilities, and addressing them is crucial for maintaining the integrity of web applications.
Additionally, the former category for XML External Entities (XXE) is now included in this category.
#6 - Vulnerable and Outdated Components
This vulnerability category poses a unique challenge, as it involves testing and assessing the risk of using components that are known to have security issues.
Notably, it is the only category without any Common Vulnerability and Exposures (CVEs) mapped to the included CWEs, but it receives default exploit and impact weights of 5.0.
Developers should ensure that they:
- Regularly update and patch all components.
- Remove unused dependencies, unnecessary features, components, and files.
- Continuously monitor for newly disclosed vulnerabilities in third-party components.
#7 - Identification and Authentication Failures
Identification and Authentication Failures can have profound implications, often leading to unauthorized system access and consequent data breaches. As such, they can allow attackers to compromise passwords, tokens, or keys, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently.
This category has been refined to encompass CWEs more closely related to identification failures. While these issues continue to be a staple in the Top 10, the advent of standardized frameworks has enhanced their manageability and effectiveness.
Companies should:
- implementing multi-factor authentication
- ensuring secure session management
- protecting user credentials.
#8 - Software and Data Integrity Failures
This category underscores the importance of ensuring the integrity of software updates, critical data, and continuous integration/continuous deployment (CI/CD) pipelines integrity without proper verification.
Failures in this area can have severe consequences, and it is one of the categories with the highest impact ratings based on Common Vulnerability and Exposures/Common Vulnerability Scoring System (CVE/CVSS) data.
#9 - Security Logging and Monitoring Failure
Security Logging and Monitoring Failures have been broadened to include additional types of lapses and remain challenging to test. Although it is not heavily represented in CVE/CVSS data, failures in this category critically hinder visibility, incident response, and forensic investigation.
#10 - Server-Side Request Forgery
Server-Side Request Forgery may occur less frequently, but the security sector accords it a higher-than-average importance due to its exploitation and impact potential. It occur when an application fetches a remote resource without validating the user-supplied URL. This can allow an attacker to induce the application to fetch an unintended resource, which can lead to unauthorized actions.
Mitigation involves validating and sanitizing all user-supplied input, especially URL data, and implementing robust network-level controls.
The category is emphasized by the security community despite the paucity of data to demonstrate its significance.
Protect your application OWASP top 10 vulnerabilities
The OWASP Top 10 is an essential resource for web developers, software engineers, and security professionals, aiding in the identification, comprehension, and remediation of the most critical web application security vulnerabilities.
Proactive engagement with these vulnerabilities allows developers to significantly fortify the security of their software, diminish the risk of data breaches, and safeguard sensitive information from malicious entities.
Exploring SCA tool, like MergeBase, is essential to enhancing your application security strategy.
MergeBase offers a range of benefits and features that can significantly bolster your defense against security threats.
Meet the Panelists
To gain a deeper understanding of these vulnerabilities and how to mitigate them effectively, it’s beneficial to learn from experts in the field. The following panelists provided insights into the OWASP Top-10 (2021 Edition) during a webinar:
Jim Manico
- Founder, CEO, and Lead Instructor, Manicode Security.
- OWASP Former Global Board Member.
- Project Leader of the OWASP Application Security Verification Standard (ASVS) Project.
- Project Leader of the OWASP Cheatsheet Series.
Julius Musseau
- Co-Founder and Advisor, MergeBase.
