OWASP stands for the open web application security project and it’s an online project that creates free content on securing web applications. One of their most famous projects is the OWASP top 10, which is a list of the top 10 web applications vulnerabilities. Recently OWASP has done a revamp of the OWASP top 10. In this article we will do a review of what has changed in the OWASP Top 10:
1) Broken Access Control
Broken access control is now the most serious security risk according to the OWASP top 10. Access control is the mechanism that enforces policies such that users cannot perform actions outside of their intended permissions. In their testing, OWASP found that this was the most commonly found security issue with over 318,000 occurrences in the applications that were tested.
2) Cryptographic Failures
Previously known as Sensitive Data exposure is a cryptographic failure. This is more of a symptom rather than a root cause and it alludes to situations where sensitive information like credit card numbers, passwords, health records, and personal information isn’t properly protected by encryption.
3) Injection Attacks
This refers to injection-based attacks such as cross-site scripting, SQL injections, and NoSQL Injections. This is the direct result of applications accepting unfiltered or improperly filtered user inputs. It had the second most occurrences in the OWASP application tests with 274,000 occurrences.
4) Insecure Design
This refers to flaws in the application design that leads to different types of security vulnerabilities. To understand this it’s important to understand the difference between implementation and design. The other 9 vulnerabilities on this list are results of improper implementation, which means you tried to implement a security control but it was done ineffectively. By insecure design, this simply means that there are no security controls put in place during the design of the application, there is a “missing or ineffective security control design”.
5) Security Misconfiguration
This is attributed to the fact that more software has become highly configurable, which means there is more opportunity for misconfiguration to occur in software. Some common examples of misconfiguration would be unnecessary features being enabled or installed, default accounts and passwords being used, or improper permissions being enabled on accounts.
6) Vulnerable and Outdated Components
Previously named using components with known vulnerabilities this refers to using things with known security vulnerabilities. This can be using old versions of software that need to be patched, using third-party code libraries that have security vulnerabilities or it can be the supporting devices such as the web servers operating system, database management system, or runtime environments that have the vulnerabilities.
7) Identification and Authentication Failures
This simply means any occurrence where attackers can bypass authentication checks and balances to compromise user accounts or user sessions. Some common examples include weak passwords, permitting brute force attacks, and missing or ineffective multi-factor authentication.
8) Software and Data Integrity Failures
To understand this you first need to understand data integrity, which is your ability to verify that an item hasn’t been changed from its original state. This is commonly performed using a file hash, which allows you to compare if an item has been altered or changed from its original state. Software and data integrity failure means that you fail to confirm if the software or data dependency you are using has not been altered maliciously.
9) Security Logging and Monitoring Failures
Proper logging and monitoring are important for detecting, escalating, and responding to active breaches. Failure to properly record events or generate alerts is a sign of security logging and monitoring failures.
10) Server-Side Request Forgery
According to OWASP, this being on the list is not supported by the data, it’s simply something that was voted in by the community even though it’s not supported by the data at this time. This flaw occurs when a web application is getting a resource without validating the user-supplied URL. It allows the attacker to get the application to send a crafted request to an unexpected destination, regardless of firewalls, VPNs, or a network access control list.
How to get more free content
If you like this article and would like to read more of our content for cybersecurity insights, tips and tricks feel free to follow us on our social media. If you’re a struggling business owner who needs help in assessing their business’s cybersecurity posture feel free to take advantage of our free introductory assessment and we’ll help you figure out a game plan for keeping your company safe.
