What Are The OWASP Top 10
The Open Web Application Security Project maintains a list of the 10 most common security risks for web applications. This list is built by industry experts, information from partner agencies, and field reports from real-world security breaches and testing. Devs can improve their web app knowledge and mitigate their application’s risks by getting to know these threats.
Let’s get right to the OWASP Top 10 web application risks and how devs can address these security flaws.
1. Broken Access Control
Broken access control is currently the number one threat for web applications. This threat is caused when individuals are able to gain information and access outside of their intended permission. Possible causes include violating the principle of least privilege, bypassing access control, or force browsing.
Devs can lower this risk by implementing access control, adding rate limiting protocols, and starting a policy of deny by default or the principle of least privilege.
2. Cryptographic Failures
This threat was formerly called “Sensitive Data Exposure” and was renamed to reflect risk causes rather than symptoms. While data is in motion, whether that’s to your servers or through an API, secure cryptography is key for protecting user login information and other sensitive data.
Devs can mitigate these risks by improving cryptography, using secure protocols, and by avoiding depreciated and legacy cryptographic features.
Injection has recently moved down to the third ranking on the OWASP Top 10 list. Injection risks occur when a hacker is able to inject their own code into a web application program. That web application then runs the injected code as if it was its own code.
This can give hackers access to secure areas, sensitive data, and can even jeopardize your servers or network. Cross-Site Scripting was included in the injection category in the most recent OWASP update. Other risks include:
- SQL Injections
- OS Command Injections
- LDAP Injections
Your dev team can mitigate injection risks by sanitizing inputs. A key example would be removing special characters from usernames.
4. Insecure Design
Insecure Design is a new category for 2021. This represents the web application industry’s “shift-left” towards design that is more inherently secure. This is distinct from implementation as a perfectly designed web application could still be imperfectly implemented.
This risk has everything to do with the architecture, coding, and design of your web applications.
Devs lower this risk by incorporating AppSec and threat modeling into their design. Bringing AppSec security professionals into your design process also lowers this risk.
5. Security Misconfiguration
The very design of your web app’s security can also be a risk. Security Misconfiguration has become a more serious threat than it was in previous years. This threat results from anything from common mistakes like leaving default user accounts active to more nuanced risks like error messages that reveal sensitive or exploitable information.
This risk can be handled by creating a minimalist design that frequently checks for common oversights, poorly implemented security, and adding a process for automatically checking design effectiveness.
6. Vulnerable and Outdated Components
This risk is as straightforward as it is common. Outdated software, libraries, and other components can cause serious risks in your web application. This can include the very platforms that your web application is built on.
This risk can be mitigated by routinely inventorying and surveying your components to ensure that they don’t have any vulnerabilities or upgrades that could be implemented.
7. Identification and Authentication Failures
This category was formerly the #2 threat on the OWASP list. It was changed from “Broken Authentication” to its current category in order to include a broader set of related risks.
These risks come from hackers being able to identify flaws in your web application’s authentication. They can use these flaws to assume trusted user status and gain access to secure networks and data.
The implementation of standardized frameworks has considerably reduced this risk, but multi-factor authentication and secure session tokens can also help.
8. Software and Data Integrity Failures
This is another new threat that’s come out in 2021. Hackers have started issuing their own updates to web applications that don’t have sufficient security checks in place when it comes to updating. This risk also applies to the connections between a web application and any plugins, libraries, or other components that come from “untrusted” sources.
To fix this risk, devs can ensure that their web application components are coming from trusted sources. OWASP provides tools to help check dependencies for potential risks.
9. Security Logging and Monitoring Failures
Security logging and monitoring is at the very heart of AppSec. If your dev team doesn’t have a protocol in place for logging and monitoring failures, these risks can go undetected. This is as close to rolling out a red carpet for hackers as you can get.
Your DevSecOps team should have a protocol in place for monitoring and logging failures. These logs should be securely encoded and documented in a way that teams can quickly act on.
10. Server-Side Request Forgery
Server-Side Request Forgery was the top pick for security risks identified by OWASP users. SSRF happens when a web app fetches data without validating the user URL. This risk has become more common with the shift towards cloud computing.
There are application and server-side solutions for this risk including sanitizing user inputs and adding a “deny by default” policy.