OWASP Updates Top 10 Web Application Security Risks
OWASP Top Ten Updates: What’s Changed?
OWASP Updates Top 10 Web Application Security Risks
The Open Web Application Security Project, or OWASP, is a non-profit organization dedicated to improving software security. They offer a variety of services to help developers improve, including tools, social events, and educational resources. They also offer helpful guides, including the recently updated OWASP Top 10 Web Application Security Risks.
But first, how does OWASP determine the top ten web application security risks? OWASP creates its list of risks for web applications using both data analysis and industry surveys. They use data applications specifically for analysis to determine the data-based part of the list. Two of the top ten risks are determined by survey responses returned by community members. This process allows developers to highlight risks they often encounter that may not be reflected in the data analyzed.
What are the top 10 security risks for OWASP web applications?
The OWASP Top 10 Web Application Security Risks List has recently been updated. Comparing it to the previous version, released in 2017, developers may find long-standing issues hampering software development as well as newly recognized issues.
The lists include:
Breaking the risks: 2017 to 2021
Now let’s take a closer look at what has changed between the OWASP Top 10 2017 and the OWASP Top 10 2021!
Injection risks describe the insertion of unreliable data into an interpreter as part of a command or request. This category includes among others SQL, NoSQL, OS and LDAP injections. Malicious injections seek to subvert performers by executing harmful commands or revealing sensitive data. This risk category now includes inter-site script, which had its own entry in the 2017 list. One way to prevent injection vulnerabilities is to separate data from requests and commands.
Broken authentication, as the name suggests, occurs when poorly implemented session management creates opportunities for attackers to take over user accounts. Threatening actors who break authentication or other session management functions can gain access to session passwords, keys, or tokens. They may also be able to capture identities of legitimate users and exploit them as well. This risk category has become Identification and authentication failures in the 2021 version of the OWASP list.
Sensitive data exposure
Sensitive data can be exposed by applications or APIs that do not have adequate built-in protections. For enhanced security, it is important to provide safeguards for data in transit or at rest. Sensitive data is a valuable asset for threat actors, which makes data security particularly important. Stolen data can be monetized by committing fraud, blackmail, identity crimes or sold on the dark web. In the 2021 list, this category was merged into cryptographic failures.
XML External Entities (XXE)
XML Eternal Entities (XXE) risks describe vulnerabilities that allow the exploitation of XML processors to commit DDOS attacks or perform other malicious activities. Outdated or misconfigured XML processors can also reveal internal files, file shares, perform internal port scanning, and execute code remotely. Since XXE attacks rely on enabling Document Type Definitions (DTDs), it is recommended that you disable them whenever possible. While disabling DTDs is not an option, OWASP has an XXE prevention cheat sheet that offers alternative security steps. In the 2021 list, this category was merged into poor security configuration.
Broken access control
Broken access control is a broad category of risk that generally describes vulnerabilities that allow attackers to bypass authorization restrictions. Examples include elevation of privilege attacks, circumvention of access control controls, and the use of insecure direct object references, among others. Attackers who exploit broken access control measures can steal private data, hijack user accounts, modify user rights, or perform other malicious activities.
Incorrect security configuration
Poor security configurations are the most common security risk affecting web applications. They are often the result of:
- Rely on accounts, passwords or default configurations
- Leave unnecessary ports, accounts, services, or other features enabled
- Incomplete or outdated security configurations
- Obsolete or uncorrected software
- Incorrectly configured HTTP headers
- Error messages that say too much about the underlying system
Preventing security configuration errors relies on establishing a repeatable and efficient process for hardening systems, software, and processes.
Vulnerable and obsolete components
The use of unpatched, obsolete, or vulnerable components in an application compromises its security and can expose it to various cyber attacks. These risks arise from vulnerabilities in libraries, frameworks, and various modules that obtain the same permissions as the application when executed. Disabling unnecessary dependencies, using only reliable components, and following a reliable patch management process can reduce exposure to these risks. This category was named using components with known vulnerabilities in the 2017 list.
Security logging and monitoring failures
Quickly identifying a breach is critical to minimizing damage, but insufficient logging and monitoring hamper threat detection efforts. Studies indicate that it takes an average of 228 days to detect a breach, giving attackers enough time to wreak havoc. Applications can mitigate these risks by ensuring that security events are logged, error / warning messages are clear and concise, and that high-value transactions have audit trails. This category has been named insufficient logging and monitoring in 2017.
Cryptographic failures occur when sensitive data or secrets are not sufficiently protected. Sensitive data should be encrypted or stored as a hash while in transit or at rest. For example, passwords should be stored as a hash instead of plain text, and sensitive personal information should only be transmitted over HTTPS. Failure to protect sensitive data can lead attackers to commit fraud, blackmail, identity theft or other information crimes. Businesses can face severe penalties for exposing sensitive data due to a violation of privacy laws like EU GDPR or financial industry PCI-DSS. These risks include those listed in the sensitive data exposure category from the 2017 list.
This is a new category that covers risk exposures due to “missing or ineffective control design”. It differs from insecure implementation in that a faulty design can never be perfectly implemented, while a perfect design can be poorly implemented. Flawed designs may lack necessary security controls, have dependencies with known vulnerabilities, or be fundamentally insecure for other reasons. These risks can be mitigated by using secure models and design principles and by performing in-depth threat modeling and testing.
Software data and integrity failures
This new risk category broadly encompasses failures related to incorrect assumptions about software updates, critical data, and CI / CD pipelines. This includes applications that rely on insecure components or services such as libraries, plug-ins, or content delivery networks. It also encompasses unsafe deserialization (from 2017), which occurs when serialized data from a file, network socket, or stream is unsecuredly transformed into an object. These risks can be mitigated by using only trusted repositories or by verifying dependencies through extensive security testing.
Server-side request forgery
This new risk category is for web applications that do not verify or validate user-supplied URLs before retrieving remote resources. Attackers can exploit these vulnerable applications to send specially crafted requests to malicious URLs, thereby bypassing firewalls, VPNs, or access control lists. These risks can be mitigated by network segmentation, disabling HTTP redirection, sanitizing user input, and other measures.
Benefits of Using the Top 10 OWASP Web Application Security Risks List
The Top 10 OWASP Web Application Security Risks List is a handy reference to guide developers through common issues that make code insecure. As developers become more familiar with detecting and managing these risks, their applications will benefit from becoming more resistant to cyber threats. Appsec users can also benefit from considering these top risks when creating security processes. Organizations can use the list to proactively incorporate procedures that identify and address these risks throughout the software development lifecycle.
For more information on how to avoid OWASP web application risks and other code security issues, visit ShiftLeft.io. ShiftLeft is dedicated to promoting secure code practices and offers several tools and resources to help developers write stronger, more resilient applications.
OWASP Updates the Top 10 Web Application Security Risks was originally posted on ShiftLeft Blog on Medium, where people continue the conversation by highlighting and responding to this story.
*** This is a Syndicated Security Bloggers Network blog from ShiftLeft Blog – Medium written by the ShiftLeft team. Read the original post at: https://blog.shiftleft.io/owasp-updates-the-top-10-web-application-security-risks-4cb9901fee0a?source=rss—-86a4f941c7da—4