The Open Web Application Security Project (OWASP) celebrated its 20th-anniversary last week with a 24-hour webinar that saw the organization released an updated version of its famed top 10 web security vulnerabilities for the year 2021.
The online conference conducted on September 24th-25th, where the top 10 was launched, saw speakers from all around the world present on various topics including privacy, information security, and diversity in the workplace. During one of the sessions on Friday afternoon, Andrew van der Stick, the executive director of OWASP presented the revised top 10 to all the attendees. The last time the list saw an update was in the year 2017 and this year, it is said that the list contains very important changes as to how OWASP sees and categorizes today’s web application threats.
The updated list for 2021 is as follows:
- Broken access control
- Cryptographic failures
- Insecure design
- Security misconfiguration
- Vulnerable and outdated components
- Identification and authentication failures
- Software and data integrity failures
- Security logging and monitoring failures
- Server-side request forgery
You may also like: US Treasury imposes sanctions on crypto-exchange linked to ransomware ops
What is OWASP and its top 10 list?
OWASP is a non-profit foundation dedicated to improving security in software. It operates under a sort of ‘open community’ model where anyone can participate in projects, events, etc., and contribute in any way. The core values on which OWASP was built are:
Open: Everything at OWASP is radically transparent from our finances to our code.
Innovative: We encourage and support innovation and experiments for solutions to software security challenges.
Global: Anyone around the world is encouraged to participate in the OWASP community.
Integrity: Our community is respectful, supportive, truthful, and vendor neutralvia the OWASP website
The OWASP top 10 web application security risks is an online list published by the foundation on its website, where it provides rankings of and remedies for what it thinks are the top 10 web app risks. The report itself that elaborates on the top 10 list is based on a general consensus between security experts from all around the world. According to OWASP,
“The risks are ranked and based on the frequency of discovered security defects, the severity of the vulnerabilities, and the magnitude of their potential impacts. The purpose of the report is to offer developers and web application security professionals insight into the most prevalent security risks so that they may incorporate the report’s findings and recommendations into their security practices, thereby minimizing the presence of these known risks in their applications.”
OWASP first introduced the list back in the year 2003. Since then, it has been updating the list every 2-3 years in accordance with changing trends and advancements in the industry. The importance of this list lies mainly in the kind of information that it provides. Some of the world’s largest organizations use it as a checklist to maintain certain standards in web app development.
Relevance and implications of the 2021 list
In 2021, the OWASP top 10 web app security risks list has reached such a high point in terms of credibility, that auditors often attribute an organization’s failure to address the OWASP list as an indication that the organization may be falling short of the compliance standards. If all 10 security risks listed have been addressed by an organization, it is an indication that the organization is committed to developing with the help of the best industry practices.
One of the key points of interest when it comes to the 2021 list is ‘broken access control’ being deemed the number one web application security risk in 2021. Back in December 1996, the CTO of Veracode and application security expert Chris Wysopal published his first vulnerability report. He reported that in the popular business collaboration software Lotus Domino 1.5 developed by IBM, he found that data could be edited or deleted if permission were not set properly or URLs were edited. This was called ‘broken access control’.
To put it in a much simpler manner, access control imposes certain policies such that users cannot act outside of the permissions that have been set. If these permissions haven’t been set, an attacker can gain access to user accounts and even act as the administration. For a detailed explanation of what exactly broken access control is, click here.
Looking at the 2017 and 2021 lists; broken access control, a security risk first documented in 1996 (25 years ago), has moved from 5th to 1st place. According to OWASP,
“Broken Access Control moves up from the fifth position; 94% of applications were tested for some form of broken access control. The 34 Common Weakness Enumerations (CWEs) mapped to Broken Access Control had more occurrences in applications than any other category.”
Considering that this 2-decade old problem is still a security risk that plagues web applications, it is automatically implied that following the best security practices is absolutely essential because aspects like broken access control, vulnerable or outdated components (6th on the list), and injections (3rd on the list) are some of the easiest flaws that attackers can exploits.
In a year like 2021 where cybersecurity needs to be more accessible to every single person and organization, improving regulations and trying to ensure compliance with such regulations can go a long way in terms of protection. Simply put, a new approach to software development that organizations like OWASP and individuals like Chris Wysopal are trying to promote will help smoothen the development process, reduce development costs, and most importantly, improve compliance with regulations.
You may also like: WhatsApp fined $267m for violating GDPR