The OWASP Foundation just released a 2021 refresh of the Top 10 ranking, and since it has the power to bring attention to specific web development aspects and contribute to improving the quality of web software, we wanted to analyze the most significant changes.
Table of contents
What is the OWASP Top 10?
How is the OWASP Top 10 selected?
OWASP Top 10 2021
- A01:2021 – Broken Access Control
- A02:2021 – Cryptographic Failures
- A03:2021 – Injection
- A04:2021 – Insecure Design
- A05:2021 – Security Misconfiguration
- A06:2021 – Vulnerable and Outdated Components
- A07:2021 – Identification and Authentication Failures
- A08:2021 – Software and Data Integrity Failures
- A09:2021 – Security Logging and Monitoring Failures
- A10:2021 – Server Side Request Forgery
How to mitigate the OWASP Top 10 risks
Do you need help solving OWASP Top 10 risks?
What is the OWASP Top 10?
The OWASP Top 10, a ranked list of the most prevalent application security risks, is one of the most popular OWASP flagship projects, and it practically represents the application security industry. Used by AppSec vendors, security practitioners, developers, students, and IT managers alike.
The OWASP Top 10 is also seen as a communication device to simplify the very complex domain of web security. Most people with basic knowledge of development understand the risks and the portability of the ranking contributes to the diffusion of security best practices.
How is the OWASP Top 10 selected?
In short, the OWASP Top 10 is built using two sources: vulnerability data contributed by software developers, and a survey to security professionals. In their own words:
There are two primary components to defining what ten risks are in the list. First is a data call cast out for organizations to contribute data they have collected about web application vulnerabilities found in various processes. This data will identify eight of the ten risks in the Top Ten. IIn 2017 organizations contributed data that covered over 114k applications, for the 2021 data call, we are more than double that so far.
Source: OWASP Top 10
This is a very clever approach that balances reality and the present situation along with some strategic guidance by industry professionals.
The reason for the survey is that solely relying on testing data has some limitations and blind spots. We will only get a volume of data on vulnerabilities found once we figure out how to manually test for them, convert that to automated testing, and scale it beyond a few organizations. As a result, we have a time lag, and looking at just the data will always be looking at some point in the past. The time lag is why we create the survey for people in the front lines to share what they believe are essential categories based on their experiences. We will use the survey results to pull in up to two categories that we don’t have data (yet) to represent.
Source: OWASP Top 10
OWASP Top 10 2021
Here is a chart summarizing the 2021 Top 10 ranking and the changes from the 2017 edition:
A01:2021 – Broken Access Control
The application features, use cases, and domain data are not protected properly. Its position in the ranking goes up from A05 to A01. 94% of the applications tested suffered from this risk and it becomes the new number one risk, up from the previous A05 position.
A02:2021 – Cryptographic Failures
Formerly Sensitive Data Exposure, A03, the application handles data improperly and as a result, it leaks unnecessary sensitive data in the responses and log files.
A03:2021 – Injection
Down from A01:2017. Insufficient untrusted data validation and bad data access practices allow attackers to insert and execute foreign code, producing database query results or actions that should never have been executed.
A04:2021 – Insecure Design
A new addition for 2021, its goal is to highlight the importance of pushing left to include security as early as possible in the lifecycle of the applications.
A05:2021 – Security Misconfiguration
Up from A06:2017, perhaps because 90% of the tested applications suffered from this risk. An umbrella term that describes the insecure configuration of any of the elements of the application stack, from operating system and storage, to third party libraries.
A06:2021 – Vulnerable and Outdated Components
Previously named “Using Components with Known Vulnerabilities,” it comprises the usage of existing libraries and/or frameworks with security flaws.
A07:2021 – Identification and Authentication Failures
Session control instruments such as user passwords, access tokens, and keys are not properly protected. In the previous edition of the Top 10, it was known as “Broken Authentication.”
A08:2021 – Software and Data Integrity Failures
A new risk for the 2021 Top 10, it includes supply chain risks such as the used of unvalidated dependencies, and also insufficient validation of external data, such as Insecure Deserialization, which was a Top 10 element in the 2018 ranking.
A09:2021 – Security Logging and Monitoring Failures
Poor logging of events and suspicious actions, which results in failing to identify security breaches quickly enough.
A10:2021 – Server Side Request Forgery
New in OWASP Top 10 2021! The application takes unvalidated input when building an external URL request, which allows an attacker to abuse the application server access credentials.
OWASP Top 10 2021 vs. OWASP Top 10 2017 (previous edition)
Let’s take a look at the main strategic changes from the previous OWASP Top 10 edition:
The 2021 Top 10 emphasizes secure design as root cause
Compared to the predecessor ranking, the 2021 Top 10 highlights secure design elements over particular low-level risks, that sometimes were more symptoms than root causes. Some specific risks such as XSS, XXE, and Insecure Deserialization are replaced by broader families of insecure design.
SSRF becomes part of the 2021 Top 10
We have been watching this risk become more and more prevalent over the last few years. That is why we wrote a long post explaining Server Side Request Forgery and how to mitigate this risk.
Application security is not only about the code you wrote
Applications rely on a large number of external elements that are not specific, such as open-source dependencies, and the configuration of the platform. The 2021 top 10 recognizes this reality with 4 risks: A05:2021 Security Misconfiguration, A06:2021 Vulnerable and Outdated Componentes, A08:2021 Software and Data Integrity Failures, and A09:2021 Security Logging and Monitoring failures.
How to mitigate the OWASP Top 10 risks
Here is a summary of our key recommendations for any team looking to improve the quality and security of their web applications. For full context, we recommend reviewing our post “7 Factors to Secure your DevOps Practice”, and visit our Application Security Knowledge center.
- Use an IAST tool (efficient and accurate vulnerability detection) from the first day of development.
- Treat security issues as a fundamental functionality issue, and connect your detection tool with the team task management system.
- Define security metrics and thresholds to assure quality.
- Some OWASP Top 10 risks are not detectable: as a solution, automate the protection of design flaws that cannot be detected.
- Continuous and always up-to-date security reports.
- Be ready for cloud deployments by embedding security-as-code as part of the application deployment.
- Maintain performance and use security solutions that are scalable.
Do you need help solving OWASP Top 10 risks?
At Hdiv Security we are application security experts and our mission is to help teams that build modern applications automate security through the entire application lifecycle. The combination of Hdiv Detection (IAST) and Hdiv Protection (RASP) provides all the visibility and protection that applications need to maintain a quick time-to-market while maximizing the security position. Drop us a note if you want to learn more!