OWASP Top 10 2021: The Most Serious Web Application Security Risks
The final OWASP Top 10 2021 list is out, and it shows that broken access control is the most serious web application security risk currently.
How is the list compiled?
“We get data from organizations that test vendors by business, from bug bounty vendors, and organizations that provide internal test data. Once we have the data, we load it together and do a fundamental analysis of what CWE is mapping to risk categories, ”says the Open Web Application Security Project (OWASP).
“This Top 10 slice is more data driven than ever, but not blindly. We selected eight of the ten categories from the data provided and two categories from the Top 10 community survey at a high level.
The reason for leaving room for direct input from frontline security and application development experts is the fact that it takes time to find ways to test new vulnerabilities, and they can offer knowledge about key weaknesses that the data provided may not yet show.
The list is then published so that it can be reviewed by practitioners, who can provide comments and suggestions for improvements.
OWASP Top 10 2021: What has changed over the past 4 years?
According to OWASP (and as can be seen above), there are three new categories in this most recent version of the Top 10 OWASP list: Insecure Design, Software and Data Integrity Failures, and Failures security logging and monitoring.
“A new category for 2021 focuses on risks related to design and architectural flaws, with a call for greater use of threat modeling, secure design models and reference architectures. As a community, we need to move beyond the “left shift” in the coding space to precode activities that are essential to the principles of Secure by Design, ”noted OWASP.
The Software and Data Integrity Failures category includes failures related to software updates (insufficient integrity checking), critical data, and CI / CD pipelines (insecure).
Security logging and monitoring are essential for detecting, escalating, and responding to active breaches.
Some other categories have been renamed (to focus on the root cause rather than the symptom) and redefined, and some have been consolidated.
The final list is as follows:
- A01: 2021-Access control broken
- A02: 2021-Crypto failures
- A03: 2021-Injection
- A04: 2021-Insecure design
- A05: 2021-Misconfiguration of security
- A06: 2021-Vulnerable and obsolete components
- A07: 2021-Identification and authentication failures
- A08: 2021-Software and data integrity failures
- A09: 2021-Security logging and monitoring failures
- A10: 2021-Fake server side request
OWASP explains each category in detail, with sample attack scenarios, references, lists of mapped CWEs, and tips on how to prevent vulnerabilities in that class.
The project also advises organizations on how to use it (as a “reference) to start an application security program.
“The OWASP Top 10 gives us powerful insight into how far the appsec has come – and how far we still have to go. Half of the categories on the new list have appeared on every list since 2003 in one form or another, so 18 years of technological development, experience and learning were not enough to remedy these shortcomings. This means we need to change our approach to application security, ”Sean Wright, senior application security engineer at Immersive Labs, told Help Net Security.
“The inclusion of ‘chess’ for the first time suggests to me that our approach to date is missing a vital piece of the puzzle: the people behind the screens. We need to empower developers to integrate security into their design, coding, and support efforts, and equip teams with the knowledge to effectively use technology to deliver more secure applications. It’s about giving people and technology the best chance to work together if we are to reduce the impact and spread of the vulnerabilities we see time and time again. Taking a hybrid human / tech approach to addressing these vulnerabilities will put us in a strong position to improve application security and, hopefully, solve some of the most important issues of the past two decades. Once we take steps to achieve this, I’m confident we’ll start to see less of the same in future OWASP Top 10 lists.