Over two decades, the Open Web Application Security Project’s top-10 list has become an essential report card for software security professionals. OWASP compiles its list of authentication vulnerabilities and other issues using Common Weakness Enumeration reports from a worldwide community of developers. Beginning with its 2017 effort, the group augmented the CWE reports with a survey of application security professionals. OWASP noted on its website that “looking at the contributed data is looking into the past,” while an industry survey reflects the present-day concerns of AppSec practitioners.
With its 2021 list, the group sought to address a developer gripe from earlier reports. The nonprofit redefined several categories, thus reducing ambiguities and the perception of overlaps. The refined OWASP Top 10 2021 highlights new threats, growing concerns, and a pair of success stories.
A Trio of New Threats Emerges
A common thread among the OWASP 2021 first-timer categories is the need for developers to adhere to programming best practices.
The new category of Insecure Design places fourth in OWASP 2021. The classification covers several weaknesses that are the result of a single cause: a missing control. OWASP cites faulty password recovery procedures and insufficient anti-bot measures as examples. The group argues that a cultural change in application development will need to accompany any practical steps. That culture change would entail more attention to security before yielding to the pressure of deploying new features.
OWASP’s design process suggestions include:
- Build a threat model.
- Involve AppSec professionals in every stage of the development process.
- Concurrently develop tests for new applications before deployment.
Software and Data Integrity Failures
Another newcomer to the OWASP Top 10, the Software and Integrity Failures category debuts in ninth place. Insecure JSON files are a typical cause of these failures. Libraries, plugins, and packages from unvetted repositories contribute to the problem. More burdensome to root out, flaws in an organization’s content integration/content deployment process can also lead to data integrity breaches. Finally, OWASP draws attention to auto-updates of packages with insufficient verification. Auto-updates open the door to the enterprise-wide distribution of malicious code without human intervention. OWASP highlights these remedies:
- Use a software tool to scan applications for known vulnerabilities.
- Audit the CI/CD pipeline for proper configuration.
- Impose digital signatures on JSON files to detect tampering.
Server-Side Request Forgery
The third new entry for 2021 occupies 10th place but was the number-one concern on the AppSec professional survey. Beyond the difficulty of pronouncing it quickly, Server-Side Request Forgery is a growing headache for developers. As a convenience feature, web apps increasingly fetch resources with user-supplied URLs. Unvalidated URLs are the beginning of an SSRF. Using this invalid URL, hackers can divert the request to another target. This forged request can even penetrate firewalls and virtual private networks, hence the concern of AppSec pros.
By OWASP’s estimation, the growth of cloud services drives the increase of SSRF exploits. Network segmenting is one way to minimize an enterprise’s risk for SSRF. OWASP’s guidance for developers includes:
- Sanitize user-supplied URL input before relaying requests.
- Deny all requests to HTTP addresses.
- Limit requests to entries on a vetted “allow” list.
OWASP specifically warns against the use of “deny” lists, noting that hackers have demonstrated the ability to circumvent this security shortcut.
Existing Security Concerns Grow
Five categories from 2017 increased in severity over the preceding four years.
Broken Access Control
Broken Access Control moved up four places to assume the 2021 top spot. Broken access occurs when a hacker gains entry and control of a remote database. Cross-Origin Resource Sharing, a technology used by complex websites to allow cross-communication with other sites, remains among the worst vulnerabilities. If websites follow protocol, these cross-website exchanges are validated and secure. CORS can prove seductive to webmasters. However, when webmasters cut corners to add functionality to their sites, validation sometimes goes out the window, and hackers may stroll in unimpeded. OWASP recommends webmasters use CORS with care and thoroughly document validation in their code.
In the second slot of the 2021 OWASP survey, Cryptographic Failures gained one position from 2017. Despite escalating legal penalties for mishandling sensitive data, the survey noted weak protections for passwords, outdated cryptographic algorithms, and clear text transmissions.
OWASP’s recommended measures include:
- Encrypt all sensitive data at rest.
- Enforce encryption for data in transit with Transport Layer Security.
- Delete unnecessary sensitive information as quickly as possible.
- Arrange independent audits of sensitive data procedures.
Consumers who purchase home WiFi routers often fail to replace the default passwords and network names. This shortcoming, known as security misconfiguration, also exists at the enterprise level. As a category, Security Misconfiguration moved up one notch to the fifth position in the 2021 report.
To meet customer needs, developers allow more and more configuration options with each application update. More configuration options equal more opportunities for hackers. With the rapid pace of updates, OWASP notes that many enterprises leave new configurations in their default settings.
OWASP recommends that server application customers configure their systems uniformly across the enterprise. This step simplifies upgrades and lessens the chance of misconfigurations slipping through the cracks.
Other suggestions include:
- Strip out unused frameworks and avoid installing unneeded features.
- Regularly review vendor security notes.
- Implement cloud access security lists
Vulnerable and Outdated Components
Gaining three spots from 2017, the challenge of vulnerable and outdated components also placed second on OWASP’s survey of security professionals. The problem boils down to a single word: dependencies. Web applications components depend on one another, with each building block having the same privileges as the application. Therefore, a web application is as secure as its most vulnerable package.
OWASP singles out Internet of Things monitoring devices in health care settings as an inviting avenue of attack. IoT devices measurably improve patient outcomes, but the rushed monitoring applications that accompanied their deployment have proven highly vulnerable. OWASP recommendations include:
- Use a Software Composition Analysis scanning tool.
- Update components for Node.js and other runtime environments.
- Implement virtual patches where updates are impractical.
Even when not flagged in a scan, the group recommends coders should eyeball components with no recent updates.
Security Logging and Monitoring Failures
In an enterprise network environment, logging and monitoring are the equivalents of eating vegetables: a valuable long-term practice that yields little immediate benefit. Security Logging and Monitoring Failures moved up to the ninth position in OWASP 2021 and was the third-ranked concern in the AppSec survey. OWASP notes that until a network breach occurs, it can be challenging to evaluate the quality of a logging strategy. In a further paradox, the group notes that detailed logs are themselves an attractive target for hackers. Beyond establishing an incident response plan, OWASP recommends network administrators identify high-value transactions and focus their logging and monitoring efforts with those priorities.
Developers Show Progress
Amid emerging threats and growth in familiar exploits, OWASP reported progress on two security fronts.
Injection exploits, the number-one threat in 2017, fall to third place in OWASP 2021. In a nutshell, an injection attack is the execution of an unauthorized database query. A malicious query on an enterprise-level database can be catastrophic. Born by exploiting SQL database requests, injection attacks now include Object Graph Navigation Library queries, operating system commands, and LDAP requests.
The solution to injection attacks is coders following good programming practice, and developer diligence in recent years accounts for injection’s decline in OWASP 2021. To keep that positive trend going, OWASP suggests:
- Use a proven application programming interface to separate data from commands and requests.
- Match escape characters to the runtime environment’s syntax.
- Take extraordinary care with “EXECUTE IMMEDIATE” commands.
- Sanitize user-supplied requests before creating SQL tables or columns.
Identification and Authentication Failures
Though 2020 unleashed a tsunami of remote workers logging into corporate websites, developers pushed Identification and Authentication Failures down seven notches for 2021.
Over four years, coders have tightened up procedures for forgotten passwords and credential stuffing exploits. Another glaring weakness, openly displaying session IDs in a browser’s URL field, is also on the way out. A few OWASP recommendations include:
- Never ship an application with default credentials enabled.
- Implement multi-factor identification for users, preferably with an option for a Yubikey or similar hardware token.
- Ban weak passwords.
- Immediately invalidate session IDs after timeouts and logoffs.
- Limit failed login attempts.
OWASP 2021 Builds the Case for SCA
- Software and Data Integrity Failures: SOOS integrates smoothly with existing CI/CD pipelines. A SOOS scan compares every project component against a constantly updated list of more than 145,000 vulnerabilities and then graphically spells out the severity of each issue.
- Vulnerable and Outdated Components: SOOS manages the introduction of dependencies, including nested dependencies, with ease.
Beyond OWASP issues, SOOS keeps license compliance and governance policies under control. Security is not an option, and it’s well within reach with SOOS.