Application security is a broad term that encompasses a set of technologies and processes that help secure your applications from common application-based vulnerabilities. Since application vulnerabilities increase every year, businesses need to develop a regular program that focuses on application security. With a tremendous increase in the number of breaches, it is necessary to protect the application and the data stored in it. OWASP is a leading not-for-profit information security organization focused on helping developers and the people who commission the most vulnerable applications to use more secure software development techniques.
OWASP recently announced the “OWASP Top 10” for 2021 and this is a big announcement in the application security industry since the last OWASP Top 10 were released five years ago (in 2017). The OWASP Top 10 (2021) tells a lot about application security trends over the last five years. Its mission is to make software security visible so that individuals and organizations can make informed decisions. The OWASP Top 10 is a regularly updated report to help web developers stay vigilant about security concerns. Multiple security analysts from all over the world contribute to this report. OWASP refers to the Top 10 as an ‘awareness document’. All companies are recommended to include the report in their processes to minimize and mitigate security risks.
Why is the OWASP Top 10 crucial for your organization?
Information Security is one of the major concerns for companies. As the number of online users increases significantly, it becomes more important to use the right set of tools to secure the data of those users. It’s not that companies are not aware of the security issues, but they are not doing enough to prevent the system from getting hacked. OWASP’s top 10 list the most prevalent attack vectors that have been proven successful in the past. Every 3 to 4 years, this list gets updated and expanded. Here are a few points that we need to keep in mind while glancing at an organizations’ security posture:
- Train your Developers: Security is one of the most critical factors of any software development project. Not all developers are well aware of prevailing security vulnerabilities, and security doesn’t make sense. It is essential to keep your team updated about the latest security vulnerabilities.
- Update your Infosec Training: While it is essential to have a cyber security training regimen in place, keeping that updated with the latest security updates is also essential.
- Get in touch with your Pentesters: Penetration testing is necessary to keep your data secure from cybercriminals. Your security team is the sharpest tool in your company. Meet with your penetration testing team to conduct a pentest based on recent updates in the OWASP top 10.
The OWASP Top 10 vulnerabilities (2021) explained
For nine years, the OWASP Top 10 has been the standard for web application security. It’s the standard that everyone uses to test their applications. The OWASP Top 10 was first published in 2003 and has been updated in 2004, 2007, 2010, 2013, and 2017 and 2021. The following vulnerabilities have been added to the updates list by OWASP.
- Insecure Design
- Software and Data Integrity Failures
- Server-Side Request Forgery
Other than the addition of new vulnerabilities, the updated list has few other tweaks too. Let’s understand them in detail:
- Updated Injection attacks: Cross-Site Scripting (XSS) has now joined the Injection group due to complete overlap as XSS is essentially content injection. Injection attacks have also moved from A01 to A03.
- Broken Authentication: Broken Authentication, which used to be on A02 in 2017, is now a part of Identification and Authentication Failures A07:2021. Identification and Authentication Failures includes now includes more CVE’s (Common Vulnerabilities and Exposures)
- Insecure Deserialization: Insecure Deserialization is now merged with Software and Data Integrity Failures which is a broader way to look into vulnerabilities related to Security updates, Data integrity, and CI/CD pipelines.
Comparing OWASP 2017 vs 2021
|S No.||OWASP 2017||OWASP 2021|
|A01||Injection||Broken Access Control|
|A02||Broken Authentication||Cryptographic Failures|
|A03||Sensitive Data Exposure||Injection|
|A04||XML External Entities (XXE)||Insecure Design|
|A05||Broken Access Control||Security Misconfiguration|
|A06||Security Misconfiguration||Vulnerable and Outdated Components|
|A07||Cross-Site Scripting (XSS)||Identification and Authentication Failures|
|A08||Insecure Deserialization||Software and Data Integrity Failures|
|A09||Using Components with Known Vulnerabilities||Security Logging and Monitoring Failures|
|A10||Insufficient Logging & Monitoring||Server-Side Request Forgery|
The updated list of OWASP 10 Risks and Vulnerabilities
The updated list of OWASP 10 security vulnerabilities is as follow:
1. Broken Access Control
Broken access control is a class of security vulnerabilities where authorization checks are insufficient to prevent unauthorized entities from accessing data or performing functions. A lack of security measures such as authorization checks can often lead to broken access control. For example, an authorization check at the top of the business logic will allow all users to see all data, or an authorization check will allow an attacker to make all changes to data.
2. Cryptographic Failures
3A’s of Information security, authentication, authorization, and data integrity need encryption. Encryption is the process of transforming information into a code that is unreadable by anyone without a decryption key. The levels of encryption should be chosen to match the level of risk and threats. The following list includes an overview of the most critical cryptographic failures:
- Weak cryptographic algorithms being used
- Improper key management causing weak keys, reuse of keys, and so on
- Data is being transmitted in plaintext, both externally and internally.
Injection attacks involve a malicious user entering a malicious payload to a website’s input field. Then, the payload travels from the browser to the server, where it can manipulate the database. These attacks are possible because websites expect input from a user to be valid, or in other words, they don’t check the input. Malicious payloads can be stored in a database, and when a website expects to retrieve information from the database, it retrieves the malicious payload and the valid data. Injection attacks are a prevalent type of attack. The main difference between Injection and SQL Injection is that injection attacks can be executed via many other protocols, not just SQL.
4. Insecure Design
Insecure Design comprises various types of security issues. The only solution to create the secure design is via secure coding and making developers aware of common security vulnerabilities. For example, when a user tries to reset the password, the insecure app sends the password in the response of the request and in the mailbox, too, due to which an attacker can do a one-click account takeover.
5. Security Misconfiguration
Security misconfiguration is a common issue due to insecure coding practices. Some of the common security misconfigurations are:
- The default username and password (Eg: admin: admin)
- Server version disclosure
- Improper management of inbound and outbound traffic.
- Missing standard security headers such as X-Frame-Options.
6. Vulnerable and Outdated Components
Using components with known vulnerabilities is a common issue found in most web applications. Most organizations tend to avoid these kinds of issues due to difficulty in the version migration. Some common CVE’s related to trending technologies are:
7. Identification and Authentication Failures
Improper authentication, access, and session management are critical to protecting users from various security attacks. Some common vulnerabilities are:
- Improper session management
- Weak password policy
- Missing brute force protection
8. Software and Data Integrity Failures
Data integrity is the state of being whole, authentic, and unbroken. There are many ways that software or data can fail to uphold integrity. Insecure deserialization, untrusted CDN’s, insecure CI/CD pipelines are how software fails to maintain the integrity of the data.
9. Security Logging and Monitoring Failures
Security log monitoring is an integral part of any security program. It is one of the most crucial areas of log management that helps companies detect and analyze security events in near real-time. Security log monitoring helps companies detect and analyze security events in near real-time. Winston is one of the most commonly used loggers nowadays.
10. Server-Side Request Forgery
Server-Side Request Forgery (SSRF) is a vulnerability when an application makes a request to an unauthenticated, remote host and does not validate the request correctly. An attacker can exploit this vulnerability to internal port scan, DoS attack, and fetching the internal metadata of the application.
How can Astra help you protect against OWASP Top 10 Risks?
Security breaches are increasing in number and severity. The number of organizations that have been breached is staggering, and the impact of these breaches is affecting almost every business model. Customer trust is at stake. Reputation is at stake. And worst of all, data is at stake.
Protect your assets and your customer’s data against OWASP top 10 risks and vulnerabilities using Astra’s Vulnerability Scanner, Firewall, and Malware Scanners. Astra’s vulnerability scanner is equipped with natural hacker intelligence gathered, self-served, on the cloud that runs 3000+ test cases covering OWASP, SANS, ISO, SOC, etc.
Recent malware attacks have become more complex and sophisticated; protect your application against such attacks using Astra Malware Scanner.
Related Read: OWASP Penetration Testing
With growing cyber attacks, it’s essential to keep your application secure from them. The OWASP Top 10 2021 has a lot of potentials to change the way we secure our application. Astra’s vulnerability scanner has more than 3000 tests that help you defend against not only OWASP top attacks but also against major cyber attacks.