The Open Web Application Security Project (OWASP), founded by Mark Curphey, first released the OWASP Top 10 Web Application Security Risks in 2003. The Top 10 is the closest the development community has to a set of commandments on how to build secure applications. This list represents the most critical risks to software security today and is recognized by developers as the first step toward creating more secure code.
The OWASP Top 10 has been updated several times over the years. The most recent update in 2017 revamped the list after a comprehensive study that looked at more than 50,000 applications and analyzed some 2.3 million vulnerabilities.
The 2021 OWASP Top 10 list is the most data driven to date. A number of organizations provided data from more than 500,000 applications so that this update is based on the largest application security data set to date. Currently, the 2021 OWASP Top 10 is available for comments before the final version is released.
Application security risks have changed over the past four years. This year, three new categories made the list – Insecure Design, Software and Data Integrity Failures, and Server-Side Request Forgery – and several categories that have been combined with others.
Changing Threats, from OWASP Top 10
Leading the OWASP Top 10 list for 2021 is Broken Access Control, which formerly held the fifth place position. Of the applications tested, 94% had some form of Broken Access Control, and the 34 CWEs that mapped to Broken Access Control had more occurrences than any other category.
In 2017, Injection Flaws, which occur when untrusted data is sent to an interpreter as part of a command or query, topped the list, but now this category ranks third. In addition, Cross-Site Scripting, which was seventh on the previous list, has been rolled into the Injection Flaws category.
A number of categories have been renamed to more accurately reflect the type of vulnerability encountered in today’s application. For example, Broken Authentication, which dropped from the number two spot in 2017 to number seven, has been renamed Identification and Authentication Failures. This category now includes CWEs that are more related to identification failures.
Following is the proposed list of the top web application security risks facing developers today.
The top risk this year is up from fifth position in 2017. Access controls enforce policies so that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure or modification, destruction of data, or performing a business function outside the user’s limits.
Previously known as Sensitive Data Exposure, Cryptographic Failures involve protecting data in transit and at rest. This includes passwords, credit card numbers, health records, personal information, and business secrets that require extra protection, especially if that data falls under privacy laws such as GDPR or regulations like PCI Data Security Standard (PCI DSS) for financial data.
Injection, which now includes Cross-Site Scripting, occurs when untrusted data is sent to an interpreter as part of a command or query, tricking the interpreter into executing unintended commands or accessing data without proper authorization.
An application is at risk when user-supplied data is not validated, filtered, or sanitized by the application; dynamic queries or non-parameterized calls without context-aware escaping are used directly in the interpreter; hostile data is used within object-relational mapping (ORM) search parameters to extract additional, sensitive records; or when hostile data is directly used or concatenated.
A new category this year, Insecure Design focuses on risks related to design flaws. This means using more threat modeling, secure design patterns and principles, and reference architectures to shift security left. It is a broad category representing many different weaknesses. According to OWASP, “Secure design is a culture and methodology that constantly evaluates threats and ensures that code is robustly designed and tested to prevent known attack methods. Secure design requires a secure development lifecycle, some form of secure design pattern or paved road component library or tooling, and threat modeling.”
Up one spot from the previous Top 10, this category includes such things as missing security hardening across any part of the application stack, improperly configured permissions on cloud services, any unnecessary features that are enabled or installed, and unchanged default accounts or passwords. The former category XML External Entities (XXE) is now included in Security Misconfiguration.
Formerly called Using Components with Known Vulnerabilities, this category moves up from ninth position in 2017. This category includes any software that is vulnerable, unsupported, or out of date. If you do not know the versions of your components – including all direct and indirect dependencies – or you do not regularly scan and test your components, you are likely at risk. The good news here is that there are excellent automated Software Composition Analysis solutions available to help you manage your open source dependencies.
Security risk occurs when a user’s identity, authentication, or session management is not properly handled, allowing attackers to exploit passwords, keys, session tokens, or implementation flaws to assume users’ identities temporarily or permanently. Previously called Broken Authentication, this category moved lower down the Top 10 list because the increased availability of standardized frameworks has effectively reduced risk.
A new category this year, Software and Data Integrity Failures refer to code and infrastructure that fails to protect against integrity violations. This includes software updates, critical data, and CI/CD pipelines that are implemented without verification. An example of this includes objects or data encoded or serialized into a structure that an attacker can modify. Another example is an application that relies upon plugins, libraries, or modules from untrusted sources. Insecure CI/CD pipelines that can introduce the potential for unauthorized access, malicious code, or system compromise also fit into this category. Lastly, applications with auto-update functionality, in which updates are downloaded without sufficient integrity verification and applied to a previously trusted application, are considered software and data integrity failures because attackers could infiltrate the supply chain to distribute their own malicious updates. Insecure Deserialization from the 2017 Top 10 has been rolled into this category.
This category includes errors in detecting, escalating, and responding to active breaches. Without logging and monitoring, breaches cannot be detected. Examples of insufficient logging, detection, and monitoring include not logging auditable events like logins or failed logins, warnings and errors that generate inadequate or unclear log messages, or logs that are only stored locally. Failures in this category impact visibility, incident alerting, and forensics. This category was previously called Insufficient Logging and Monitoring.
Server-Side Request Forgery occurs when a web application fetches a remote resource without validating the user-supplied URL. An attacker can coerce the application to send a crafted request to an unexpected destination, even when protected by a firewall, VPN, or another type of network ACL. Though SSRF shows a relatively low incidence rate in the data OWASP reviewed, this category was added based on the industry survey results; users are concerned that SSRF attacks are becoming more prevalent and potentially more severe due to increased use of cloud services and the complexity of architectures.
The OWASP Top 10 is not an exhaustive list of every possible security attack. Instead, it is a guide that identifies the most common mistakes that are more likely to result in an application breach. A determined attacker can find many ways to infiltrate their target. Smart developers and security professionals use the OWASP Top 10 to get the biggest bang for their buck, so to speak, by focusing their efforts on the issues with the broadest and biggest potential impact.
If you need proof that the OWASP Top 10 works, you only need to look at Identification and Authentication Failures, which dropped to seventh place this year from the second spot in 2017. Being placed high on the 2017 list brought about more awareness which resulted in better standards and tools, such as the increased use of multi-factor authentication. The net result was a significant drop in identification and authentication flaws.
In effect, the OWASP Top 10 is about promoting better security best practices. It helps both developers and security professionals weave security in from the earliest stages of development all the way through deployment. The Top 10 encourages and empowers teams to keep security front of mind in how they code, configure, and ship out their products, which makes for more secure applications all around.