OWASP Task Force Releases Top 10 Web Application Risks for 2021
The Open Web Application Security Project (OWASP) has published its project Top 10 Web Application Security Risks 2021 list with a number of changes from the 2017 list (the last time the list was updated). The list has been maintained by OWASP since its publication in 2003 with updates every few years.
In a September 8, 2021 announcement, the OWASP noted the draft Top 10 Web Application Security Threats for 2021 has been released for “peer review, comment, translation, and suggestions for improvements.” The draft report, available for viewing online, contains significant changes in how the nonprofit categorizes today’s web application threats.
In the update, the OWASP group added three new categories: “Insecure Design”, “Software and Data Integrity Failures” and a group for “Server Side Request Design (SSRF)” attacks.
The “XML External Entities (XXE)” section of 2017 has been added to the Misconfiguration Security category of 2021, “Cross-Site Scripting (XSS)” has been added to the “Injection” and “Insecure Deserialization” section is now part of “Security Logging and Failure Monitoring”.
The OWASP has also renamed several categories.
Top 10 OWASP for 2021: The Complete List
1.A01: 2021-Access control interrupted: 34 CWE. Access control vulnerabilities include elevation of privilege, malicious URL modification, access control bypass, CORS misconfiguration, and primary key tampering.
2.A02: 2021-Crypto failures: 29 CWE. This includes security failures when data is in transit or at rest, such as implementation of weak cryptographic algorithms, poor or lax key generation, failure to implement encryption or verify certificates, and unencrypted data transmission.
3.A03: 2021-Injection: 33 CWE. Common injections impact SQL, NoSQL, operating system control, and LDAP, and can be caused by cleanup failures, XSS vulnerabilities, and lack of file path protection.
4.A04: 2021-Insecure design: 40 CWE. Insecure design elements vary widely, but are generally described by OWASP as “missing or ineffective control design”. Areas of concern include a lack of protection of stored data, problems with logic programming, and the display of content revealing sensitive information.
5.A05: 2021-Incorrect security configuration: 20 CWE. Applications can be considered vulnerable if they lack security hardening, if there are unnecessary features – such as an open hand when it comes to privileges – if default accounts are kept active, and if security features exist. are not configured correctly.
6.A06: 2021-Vulnerable and obsolete components: Three CWE. This category focuses on client-side and server-side components, component maintenance failures, outdated support systems – such as an operating system, web servers, or libraries – as well as component misconfiguration.
7.A07: 2021-Identification and authentication failures: 22 CWE. Security concerns include improper authentication, session fixation, certificate inconsistencies, authorization of weak credentials, and a lack of protection against brute force attacks.
8.A08: 2021-Software and data integrity failures: 10 CWE. Integrity is the focal point of this category, and any failure to do it correctly, such as deserializing unreliable data or failing to verify code and updates when pulled from a remote source, can to be taken into account.
9.A09: 2021-Security logging and monitoring failures: Four CWE. Problems that may hamper the analysis of a data breach or other form of attack, including logging issues, failure to record security-related information flows, or logging of security-related information. data only locally falls under this category.
10.A10: 2021-Fake server side request: A CWE. SSRF vulnerabilities occur when a server does not validate URLs submitted by users when they retrieve remote resources. OWASP says the adoption of increasingly complex cloud services and architectures has increased the severity of SSRF attacks.
The review of the project usually takes several months. OWASP Group also announced that they have a surprise for September 24, so stay tuned.
At K2 Cyber Security, we would like to help you with your RASP and IAST requirements. K2 offers an ideal runtime protection security solution that detects true zero-day attacks, while generating the fewest false positives and alerts. Rather than relying on technologies such as signatures, heuristics, fuzzy logic, machine learning or AI, we use a deterministic approach to detect true zero-day attacks, without limiting ourselves to detecting attacks based on prior attack knowledge. Deterministic security uses application runtime validation and verifies that API calls are working as expected by code. No prior knowledge of an attack or the underlying vulnerability is used, giving our approach the true ability to detect new zero-day attacks. Our technology has 8 granted / pending patents, and has no false alerts.
We also recently released a video, The Need for Deterministic Security. The video explains why the technologies used in today’s security tools, including web application firewalls (WAFs), fail to prevent zero day attacks and how deterministic security meets the need for detect zero day attacks. The video explains why technologies such as artificial intelligence, machine learning, heuristics, fuzzy logic, pattern and signature matching fail to detect true zero day attacks, giving very specific examples of ‘attacks where these technologies work and where they fail to detect an attack.
The video also explains why deterministic security works against true zero day attacks and how K2 uses deterministic security. Watch the video now.
Change the way you protect your apps, include RASP, and verify K2’s app workload security.
Find out more about K2 today by requesting a demo or get your free trial.