What is OWASP?
The Open Web Application Security Project (OWASP) is a non-profit organization founded in 2001, with the goal of helping website owners and security experts protect web applications from cyber attacks. OWASP has 32,000 volunteers around the world who perform security assessments and research.
Among OWASP’s key publications are the OWASP Top 10, discussed in more detail below; the OWASP Software Assurance Maturity Model (SAMM), the OWASP Development Guide, the OWASP Testing Guide, and the OWASP Code Review Guide.
Why is the OWASP Top 10 Important?
OWASP Top 10 is a research project that offers rankings of and remediation advice for the top 10 most serious web application security dangers. The report is founded on an agreement between security experts from around the globe. The risks are graded according to the severity of the vulnerabilities, the frequency of isolated security defects, and the degree of their possible impacts.
The aim of the report is to provide web application security experts and developers with an understanding into the most common security risks so that they can use the findings of the report as part of their security practices. This can help limit the presence of such known risks within their web applications.
OWASP manages the Top 10 list and has been doing so since 2003. They update the list every 2-3 years, in keeping with changes and developments in the AppSec market. OWASP provides actionable information and acts as an important checklist and internal Web application development standard for a lot of the largest organizations in the world.
Auditors tend to see an organization’s remiss to address the OWASP Top 10 as a sign that it may not be up-to-scratch regarding compliance standards. Employing the Top 10 into its software development life cycle (SDLC) shows a general valuing of the industry’s best practices for secure development.
What is New in OWASP Top 10 2021?
The following image from OWASP explains what changed in the OWASP top 10 from 2017 to 2021. Remember that the OWASP Top 10 is in order of importance—A01 is, according to OWASP, the most important vulnerability, A02 is the second most important, etc.
- Green arrows are vulnerabilities that were promoted in importance
- Orange arrows are vulnerabilities that were demoted in importance
- Yellow broken line arrows are vulnerabilities removed and merged into other categories.
Source: OWASP
Which vulnerabilities remained in the list but changed position?
-
- UP: Broken Access Control moved up from #5 to #1, because OWASP discovered 94% of applications have an access control weakness.
- UP: Cryptographic Failures, renamed from “Sensitive Data Exposure”, moved from #3 to #2. This reflects the increasing importance of encryption in modern applications.
- UP: Security Misconfiguration moved up from #6 to #5. 90% of applications tested by OWASP had security-related misconfigurations.
- DOWN: Security Logging and Monitoring Failures, previously named “Insufficient Logging and Monitoring”, moved up from #10 to #6, based on data from the OWASP industry survey.
- DOWN: Injection moved down from #1 to #3, even though 94% of applications tested had some type of injection vulnerability.
- DOWN: Vulnerable and Outdated Components, previously named “Using Components with Known Vulnerabilities”, moved up from #9 to #6, based on OWASP’s community survey.
- DOWN: Identification and Authentication Failures, renamed from “Broken Authentication”, moved down from #2 to #7, due to growing use of standard authentication frameworks.
Which vulnerabilities are new or have been removed from the list?
- NEW: Insecure Design is a new vulnerability, entering the list at #4. This reflects the growing focus on “shifting left” and integrating security into the entire development lifecycle.
- NEW: Software and Data Integrity Failures entered the list at #8, focusing on the integrity of software updates and CI/CD pipelines. This is a response to the huge impact of supply chain attacks.
- NEW: Server-Side Request Forgery entered the list at #10. This was the #1 result voted by users in the OWASP community survey.
- REMOVED: Cross-Site Scripting and XML External Entities (XXE) are removed and merged into other categories (Injection and Security Configuration, respectively).
A01:2021—Broken Access Control
Broken access control means that attackers can gain access to user accounts and act as users or administrators, and that regular users can gain unintended privileged functions. Strong access mechanisms ensure that each role has clear and isolated privileges.
Mitigating Broken Access Control
- Deny access by default, except for public resources
- Build strong access control mechanisms and reuse them across the application
- Disable server directory listing and do not store sensitive data in root
- Rate limit API and controller access
- Validate JWT tokens after logout
Related reading:
A02:2021—Cryptographic Failures
Cryptographic Failures, previously known as Sensitive Data Exposure, covers the protection of data in transit and at rest. This includes passwords, credit card numbers, health records, personal information and other sensitive information.
It is especially important for organizations covered by standards like PCI Data Security Standards (PCI DSS) or data privacy regulations like the EU General Data Protection Regulation (GDPR).
Mitigating Cryptographic Failures
- Identify sensitive data and apply appropriate security controls.
- Don’t store sensitive data unless absolutely needed━discard sensitive data, use tokenization or truncation.
- Encrypt all sensitive data at rest using strong encryption algorithms, protocols and keys.
- Encrypt data in transit using secure protocols like TLS and HTTP HSTS.
- Disable caching for sensitive data.
- Store passwords using strong, salted hashing functions like Argon2, scrypt and bcrypt.
Related reading:
A03:2021—Injection
An injection vulnerability in a web application allows attackers to send hostile data to an interpreter, causing that data to be compiled and executed on the server. A common form of injection is SQL injection.
Preventing Injection Attacks
- Use a safe API which avoids the use of the interpreter entirely
- Use positive or “whitelist” server-side input validation
- Escape special characters
- Use LIMIT and other SQL controls within queries to prevent mass disclosure of records in case of SQL injection.
Related reading:
A04:2021—Insecure Design
Insecure Design is a category of weaknesses that originate from missing or ineffective security controls. Some applications are built without security in mind. Others do have a secure design, but have implementation flaws that can lead to exploitable vulnerabilities.
By definition, an insecure design cannot be fixed by proper implementation or configuration. This is because it is lacking basic security controls that can effectively protect against important threats.
Preventing insecure design
- Establish a secure software development lifecycle (SSDLC)
- Leverage application security practices from early stages of software development
- Create a library of secure design patterns, and use it to build new applications
- Leverage threat modeling to design critical features like authentication and access control
- Integrate security concerns and controls into all user stories
A05:2021—Security Misconfiguration
Security Misconfiguration is a lack of security hardening across the application stack. This can include improper configuration of cloud service permissions, enabling or installing features that are not required, and default admin accounts or passwords. This now also includes XML External Entities (XXE), previously a separate OWASP category.
Preventing security misconfiguration
- Establish a hardening process for applications, which is fast and easy to deploy
- Configure development, QA, and production identically (with different credentials)
- All systems should have a minimal setup without unnecessary features and components
- Configurations should be regularly updated, applying patches and security advisories
- Establish an automated process to verify secure configurations in all environments
A06:2021—Vulnerable and Outdated Components
Vulnerable and Outdated Components, previously known as “Using Components with Known Vulnerabilities,” includes vulnerabilities resulting from unsupported or outdated software. Anyone who builds or uses an application without knowing its internal components, their versions, and whether they are updated, is exposed to this category of vulnerabilities.
Preventing vulnerable and outdated components
- Remove unused dependencies, features, components, and files from applications.
- Maintain an inventory of components and their versions, both on the client side and server side, using software composition analysis (SCA) tools
- Continuously scan libraries and their dependencies for vulnerable components
- Only use components from official sources, and prefer signed packages
- Urgently remediate vulnerabilities, remove affected components, or apply a virtual patch
A07:2021—Identification and Authentication Failures
Identification and Authentication Failures, previously known as Broken Authentication, this category now also includes security problems related to user identities. Confirming and verifying user identities, and establishing secure session management, is critical to protect against many types of exploits and attacks.
Mitigating Broken Authentication
- Implement multi-factor authentication
- Do not deploy systems with default credentials
- Check for a list of the top 10,000 worst passwords
- Use the guidelines in NIST 800-63 B section 5.1.1 for Memorized Secrets
- Harden all authentication-related processes like registration and credential recovery
- Limit or delay failed login attempts
Related reading:
A08:2021—Software and Data Integrity Failures
Software and Data Integrity Failures involve code and infrastructure that are vulnerable to integrity violations. This includes software updates, modification of sensitive data, and CI/CD pipeline changes performed without validation. An insecure CI/CD pipeline can lead to unauthorized access, introduction of malware, and other severe vulnerabilities.
There is a global concern around applications with automatic updates. In several cases, attackers broke into the supply chain and created their own malicious updates. Thousands of organizations were compromised by downloading updates and applying these malicious updates to previously trusted applications, without integrity validation.
Preventing software and data integrity failures
- Use digital signatures or similar mechanisms to verify software or data is from the expected source and has not been altered.
- Ensure libraries and dependencies, such as npm or maven, are pulling from trusted repositories
- Establish a review process for code and configuration changes
- Ensure that your CI/CD pipeline has proper configuration and access controls
A09:2021—Security Logging and Monitoring Failures
Security Logging and Monitoring Failures, previously named “Insufficient Logging and Monitoring”, involves weaknesses in an application’s ability to detect security risks and respond to them. Breaches cannot be detected without logging and monitoring. Failures in this cateogry affect visibility, alerting, and forensics.
Preventing security logging and monitoring failures
- Ensure login, access control, and server-side input validation is logged
- Ensure logs contain enough context to identify suspicious behavior and enable in-depth forensic analysis.
- Ensure logs are in a format compatible with log management solutions
- Take measures to prevent attackers from tampering with log data
A10:2021—Server Side Request Forgery
A Server-Side Request Forgery (SSRF) vulnerability occurs when a web application pulls data from a remote resource based on a user-specified URL, without validating the URL. Even servers protected by a firewall, VPN, or network access control list (ACL) can be vulnerable to this attack, if they accept unvalidated URLs as user inputs.
Preventing Server Side Request Forgery
- Avoid accepting URLs in client inputs, and if absolutely necessary, sanitize inputs
- Isolate any remote resource access functionality in a separate network to reduce impact
- Use “deny by default” firewall policies to block unwanted Internet traffic
- Use a positive allow list with URL schema, port, and destination
- Disable HTTP redirections
- Never return raw responses to clients
Imperva Application Security
Imperva’s industry-leading Web Application Firewall (WAF) provides robust protection against OWASP Top 10 attacks and other web application threats. Imperva offers two WAF deployment options:
- Cloud WAF—permit legitimate traffic and prevent bad traffic. Safeguard your applications at the edge with an enterprise‑class cloud WAF.
- Gateway WAF—keep applications and APIs inside your network safe with Imperva Gateway WAF.
In addition to WAF, Imperva provides multi-layered protection to make sure websites and applications are available, easily accessible and safe. The Imperva application security solution includes:
- DDoS Protection—maintain uptime in all situations. Prevent any type of DDoS attack, of any size, from preventing access to your website and network infrastructure.
- CDN—enhance website performance and reduce bandwidth costs with a CDN designed for developers. Cache static resources at the edge while accelerating APIs and dynamic websites.
- Bot management—analyzes your bot traffic to pinpoint anomalies, identifies bad bot behavior and validates it via challenge mechanisms that do not impact user traffic.
- API security—protects APIs by ensuring only desired traffic can access your API endpoint, as well as detecting and blocking exploits of vulnerabilities.
- Account takeover protection—uses an intent-based detection process to identify and defends against attempts to take over users’ accounts for malicious purposes.
- RASP—keep your applications safe from within against known and zero‑day attacks. Fast and accurate protection with no signature or learning mode.
- Attack analytics—mitigate and respond to real security threats efficiently and accurately with actionable intelligence across all your layers of defense.