Web accounts

OWASP shakes up web application threat categories with release of Top 10 draft

The Top 10 list is a widely used guide to modern web application security threats

The Open Web Application Security Project (OWASP) has released its draft Top 10 2021 list revealing a shake-up in the categorization of modern threats.

In an announcement made yesterday (September 8), OWASP noted The draft Top 10 Web Application Security Threats for 2021 has been released for “peer review, comment, translation, and suggestions for improvement.”

The draft report, available online, contains significant changes to how the nonprofit classifies today’s web application threats, which have not been updated since 2017.

State of Play: OWASP Top 10 Changes in 2021 (Preview)State of Play: OWASP Top 10 Changes in 2021 (Preview)

Dig into the Top 10 draft

There are three new categories: “Insecure Design”, “Software and Data Integrity Failures”, and a group for “Server-Side Request Forgery (SSRF)” attacks.

‘XML External Entities (XXE)’ section from 2017 added to Security Misconfiguration category from 2021, ‘Cross-Site Scripting (XSS)’ was added to ‘Injection’ section, and ‘Insecure Deserialization’ is now part of ‘Software and Data Integrity Failures’.

OWASP also renamed several categories to match scope changes.

Learn about the latest security vulnerabilities news and analysis

When the organization analyzes threat intelligence, provided by cybersecurity companies, specific data factors are used to generate the top 10 list. These include software and hardware Common Weakness Enumeration (CWE) mapping, the percentage of applications vulnerable to a particular CWE, and their coverage across organizations.

OWASP also considers weighted exploits and average metrics of a vulnerability, based on CVSSv2 and CVSSv3 scores, and the total number of applications found to have CWEs mapped to a category, as well as the total number of CVEs attributable to a particular type of threat.


OWASP Top 10: The Complete List

1.A01:2021-Access control broken: 34 CWEs. Access control vulnerabilities include elevation of privilege, malicious URL modification, access control bypass, CORS misconfiguration, and primary key tampering.

2.A02:2021-Cryptographic Failures: 29 CWE. This includes security failures while data is in transit or at rest, such as implementation of weak cryptographic algorithms, poor or lax key generation, failure to implement encryption or verification certificates and clear text data transmission.

3.A03:2021-Injection: 33 CWE. Common injections impact SQL, NoSQL, OS command, and LDAP, and can be caused by cleanup failures, XSS vulnerabilities, and lack of file path protection.

4.A04:2021-Insecure design: 40 CWEs. Insecure design elements vary widely, but are generally described by OWASP as “missing or ineffective control design”. Areas of concern include a lack of protection of stored data, logic programming issues, and the display of content that reveals sensitive information.

5.A05:2021-Bad security configuration: 20 CWEs. Applications can be considered vulnerable if they lack security hardening, if there are unnecessary features – such as an overly open hand when it comes to privileges – if default accounts are kept active, and if security features are not configured correctly.

6.A06:2021-Vulnerable and obsolete components: Three CWEs. This category focuses on client-side and server-side components, component maintenance failures, outdated supporting systems – such as an operating system, web servers, or libraries – as well as component misconfiguration.

7.A07:2021-Identification and authentication failures: 22 CWE. Security issues include improper authentication, session fixation, certificate mismatches, weak credential authorization, and lack of protection against brute force attacks.

8.A08:2021-Software and data integrity failures: 10 CWEs. Integrity is the focal point of this category, and any failure to do so correctly – such as deserializing untrusted data, or not verifying code and updates when pulled from a remote source – may be concerned.

9.A09:2021-Security logging and monitoring failures: Four CWEs. Issues that may impede the analysis of a data breach or other form of attack, including logging issues, failure to record security information streams, or logging local data only, fall into this category.

10.A10:2021-False server-side request: A CWE. SSRF vulnerabilities occur when a server fails to validate user-submitted URLs when fetching remote resources. OWASP says the adoption of increasingly complex cloud services and architectures has increased the severity of SSRF attacks.


Analysis: OWASP shifts to the left

“The additions of ‘Insecure Design’ and ‘Software and Data Integrity Failures’ show how the entire software industry continues to ‘shift left’ with more emphasis on secure design and architecture as well as threat modelling,” Tom Eston, director of application security practice at Bishop Fox said. The daily sip.

“Often, secure design and threat modeling are overlooked due to the speed of modern development. It’s also great to see OWASP finally call software integrity and security of CI/CD pipelines as another area of ​​focus.

RELATED Google and Mozilla lay the groundwork for a “post-XSS world”

OWASP also updated the methodology used to generate the top 10 list. Eight out of 10 categories are data-driven, and two were selected based on industry survey responses.

“AppSec researchers take time to find new vulnerabilities and new ways to test them,” the organization explains. “It takes time to integrate these tests into tools and processes.

“By the time we can reliably test a large-scale weakness, years have probably passed. To balance this view, we use an industry survey to ask people on the front lines what they consider to be critical weaknesses that the data may not yet show.

It should be noted that once cybersecurity experts and peers provide feedback, this list may be subject to change.

Positive responses

Brain Glas, co-editor of OWASP’s Top 10, told us the draft initially received a lot of positive responses, though he expects “a small number of vocal people who disagree. with the current draft.

“It’s a complex industry and a complex subject, people can have a wide range of experiences and backgrounds. For some, the Top 10 project will align with their experience and perceptions, for others it won’t and I expect it. [will] likely [be] some minor tweaks as we process feedback and polish the draft” – though that’s not set in stone just yet.

Andrew van der Stock, Executive Director of OWASP, added: “In this release, we’re trying to give guidance on how people actually use it. In the 2007 and 2017 versions, I wrote that it is an awareness document and nothing more. But that’s not how people use it.

“If the OWASP Top 10 were a game, the majority of uses would be considered unintended but well-received emergent gameplay by the authors. So this time around, we’ve chosen to say how best to use it. as an informal standard and as the very beginning of an AppSec program.

OWASP also thanked organizations such as AppSec Labs, GitLab, Cobalt.io, HackerOne, and Veracode, among others, for providing connected data to more than 500,000 applications.

The nonprofit says these contributions have been “the largest and most comprehensive set of application security data” to date.

Alongside the draft report, a “surprise supplement” will be published on September 24. OWASP hopes that the next installment will be earlier than the four years needed for this publication, still delayed due to Covid-19.

YOU MIGHT ALSO LIKE Machine learning technique detects phishing sites based on markup visualization