OWASP Top 10 2021: What’s new in WebApp Security Vulnerabilities
WebApp vulnerabilities and methodologies are in constant flux and always evolving. The OWASP Top 10 is a helpful resource to support security analysts protect their networks in this ever-changing environment. Read on to learn what’s changed in 2021.
What is the ‘OWASP Top 10’?
OWASP (Open Web Application Security Project) is a recognised industry standard and one of the most common web application methodologies used when developing and securing web applications. The Top 10 represents a broad consensus about the most critical security risks to web applications and is a key resource for optimising penetration testing processes.
What has changed in WebApp vulnerabilities?
A number of changes have been made since 2017, with some categories changing rank and others renamed in the last four years. Visit the OWASP website for full details on how each category has changed.
What do these categories mean?
A01:2021-Broken Access Control – Access control enforces policy that means users cannot act outside of their intended permissions. Failures here typically lead to unauthorised information disclosure, modification, destruction of all data or performing a business function outside the user’s limits.
A02:2021-Cryptographic Failures – It is essential to determine the protection needs of all data in transit and at rest. For example, passwords, credit card numbers, health records, personal information and business secrets require extra protection, especially if that data falls under privacy laws (General Data Protection Regulation (GDPR)) or regulations (financial data protection such as PCI Data Security Standard (PCI DSS)).
A03:2021-Injection – Some of the more common injections are SQL, NoSQL, OS command, Object Relational Mapping (ORM), LDAP and Expression Language (EL) or Object Graph Navigation Library (OGNL) injection.
A04:2021-Insecure Design – Insecure design is a broad category representing different weaknesses, expressed as “missing or ineffective control design.” One factor that contributes to insecure design is the lack of business risk profiling inherent in the software or system being developed, leading to a failure to determine which level of security design is required.
A05:2021-Security Misconfiguration – Common security misconfigurations include missing appropriate security hardening across any part of the application stack, or improperly configured permissions on cloud services. It can also signify unnecessary features are enabled or installed, default accounts and their passwords are still enabled and unchanged, or information disclosure via improper error handling.
A06:2021-Vulnerable and Outdated Components – Relates to the use of vulnerable or unsupported software. This can be in the form of libraries within the application, underlying infrastructure, or the framework in which the application is designed.
A07:2021-Identification and Authentication Failures – Confirmation of the user’s identity, authentication and session management is critical to protect against authentication-related attacks.
A08:2021-Software and Data Integrity Failures – These failures relate to code and infrastructure that does not protect against integrity violations. For example, when an application relies upon plugins, libraries or modules from untrusted sources, repositories and Content Delivery Networks (CDNs).
A09:2021-Security Logging and Monitoring Failures – This category is to help detect, escalate and respond to active breaches; without logging and monitoring, breaches cannot be detected.
A10:2021-Server-Side Request Forgery – SSRF flaws occur whenever a web application is fetching a remote resource without validating the user-supplied URL. It allows an attacker to coerce the application into sending a crafted request to an unexpected destination, even when protected by a firewall, VPN or other type of network Access Control List (ACL).
3 ways to mitigate WebApp security risk
In order to stay protected, organisations and their IT and Security teams should:
- Review the Top 10 list and consider the advice provided by OWASP
- Integrate the best practices advised within any web application development process
- Run regular penetration testing to protect web applications from external threats, verify that security controls have been implemented appropriately and ultimately protect a company and its networks from cybercrime
DigitalXRAID continuously updates tools and develops testing methodologies to keep up to date with the ever-evolving industry best practices. Get in touch to find out how we can help you protect your business and your reputation today.