OWASP Top 10 key changes


What is OWASP Top 10?

The Open Web Application Security Project (OWASP) is a global non-profit organization committed to enhancing web application security. The OWASP Top 10 list is the most critical security risks to web applications and typically updated and released every three to four years.

The 2021 update was timely, as businesses increasingly rely on applications to deliver value to their services, making secure software development a crucial part of application development and DevOps processes.

Key Changes

The updated list in 2021, had introduced 3 significant updates from the previous version in 2017. Here are the new entries and the green ones that moved up the list:

OWASP Top 10 - 2017 to 2021 mapping

1. Broken Access Control (moved up from #5 in 2017)

  • Became the #1 issue in 2021
  • Encompasses more specific access control problems
  • Covers unauthorized access to functionality or data
  • Includes issues like: Bypassing access control checks, Elevation of privilege, Metadata manipulation (e.g., JWT tampering), CORS misconfiguration, Forced browsing to authenticated pages as an unauthenticated user
  • Real-world example: In 2019, a researcher found that he could access any Shopify store’s admin panel by adding “/admin” to the end of the store’s URL, bypassing authentication entirely.

2. Cryptographic Failures (previously Sensitive Data Exposure)

  • Renamed to focus more on failures related to cryptography
  • Emphasizes the root cause rather than the symptom
  • Includes: Transmission of sensitive data in clear text, Use of weak cryptographic algorithms, Improper key management, Use of default or weak cryptographic keys, Lack of proper certificate validation
  • Real-world example: The 2017 Equifax data breach exposed personal information of 147 million people due to unencrypted data in transit and weak encryption methods for stored data.

3. Injection (moved down from #1 in 2017)

  • Still a critical issue, but no longer the top vulnerability
  • Scope narrowed slightly due to the rise of safer programming languages and frameworks
  • Includes: SQL injection, NoSQL injection, OS command injection, LDAP injection, Expression Language injection
  • Real-world example: In 2015, a SQL injection vulnerability in British telecom TalkTalk’s website led to the theft of personal data of 156,959 customers.

4. Insecure Design (New)

  • Focuses on risks related to design and architectural flaws
  • Emphasizes the need for secure design patterns and principles
  • Covers: Lack of proper security controls, Insecure business logic, Failures in secure design patterns, Insufficient security requirements gathering, Lack of threat modeling in the design phase
  • Real-world example: The 2020 SolarWinds supply chain attack exploited insecure design in the software update process, allowing attackers to inject malicious code into legitimate software updates.

5. Security Misconfiguration (moved up from #6 in 2017)

  • Gained importance due to the increasing complexity of systems
  • Includes issues with cloud misconfigurations
  • Includes: Unnecessary features enabled or installed, Default accounts with unchanged passwords, Overly informative error messages, Misconfigured HTTP headers, Improper security hardening
  • Real-world example: In 2019, a misconfigured Amazon S3 bucket exposed 540 million Facebook user records from third-party apps, including account names and comments.

6. Vulnerable and Outdated Components (previously Using Components with Known Vulnerabilities)

  • Renamed to emphasize both known vulnerabilities and outdated software
  • Reflects the growing importance of software supply chain security
  • Covers: Unpatched libraries, frameworks, and modules, Unsupported or outdated software components, Lack of vulnerability scanning and patch management, Failure to update underlying platforms, OS, and dependencies
  • Real-world example: The 2017 Equifax breach was partly due to an unpatched Apache Struts vulnerability, highlighting the risks of using outdated components.

7. Identification and Authentication Failures (previously Broken Authentication)

  • Renamed to cover a broader range of authentication-related issues
  • Includes problems with session management
  • Includes: Permitting weak passwords, Weak credential recovery processes, Improper session management, Missing or ineffective multi-factor authentication, Exposure of session IDs in URLs
  • Real-world example: In 2019, a flaw in Facebook’s “View As” feature allowed attackers to steal access tokens and take over user accounts.

8. Software and Data Integrity Failures (New)

  • Focuses on making assumptions related to software updates, critical data, and CI/CD pipelines without verifying integrity
  • Addresses concerns about software supply chain attacks
  • Covers: Insecure CI/CD pipelines, Unsigned auto-updates, Insecure deserialization, Use of libraries from untrusted sources, Lack of integrity checks on critical data
  • Real-world example: The 2020 compromise of SolarWinds’ Orion software update system allowed attackers to distribute malicious updates to thousands of organizations.

9. Security Logging and Monitoring Failures (previously Insufficient Logging & Monitoring)

  • Expanded to include more aspects of detection and response
  • Emphasizes the importance of logging and monitoring in security
  • Includes: Lack of logging for critical activities, Unclear or inadequate log messages, Logs not monitored for suspicious activities, Lack of effective incident response plans, Failure to alert on security events
  • Real-world example: The 2013 Target data breach, affecting 41 million consumers, went undetected for weeks despite security systems flagging the suspicious activity.

10. Server-Side Request Forgery (SSRF) (New)

  • Added due to the increasing prevalence and impact of this vulnerability
  • Reflects the growing adoption of cloud services and complex architectures
  • Covers: Attacks against internal servers behind firewalls, Attacks against the server itself, Data exfiltration, Port scanning of internal networks, Leveraging cloud services metadata
  • Real-world example: In 2019, Capital One suffered a data breach affecting 100 million customers due to an SSRF vulnerability that allowed an attacker to access AWS metadata and steal credentials.

Notable Removals from 2017 List:

  • XML External Entities (XXE)
  • Cross-Site Scripting (XSS) – now part of the Injection category

This comparison highlights the evolving nature of web application security threats and the industry’s response to emerging risks.

How to use OWASP guidelines?

OWASP’s recommendations are an effective way to address web application security. Here are the steps organizations should follow:

  • Identify: Recognize the OWASP Top 10 vulnerabilities relevant to your business and assess how they may impact your applications.
  • Awareness: Educate your team, including developers, application testers, and management, about the OWASP Top 10 to ensure everyone understands the critical security risks.
  • Plan: Develop a strategy to address the identified vulnerabilities, prioritizing them based on their potential impact and likelihood of occurrence.
  • Integrate: Incorporate OWASP Top 10 guidelines into your software development lifecycle (SDLC), ensuring security is considered at every stage from design to deployment.
  • Monitor: Continuously monitor applications for security incidents and vulnerabilities, and ensure that any new threats are immediately addressed.
  • Review and Update: Regularly revisit your security practices and the OWASP Top 10 list to adapt to new vulnerabilities and changing business needs.

Conclusion

Incorporating the OWASP Top 10 guidelines into a business’s security strategy is an effective way to enhance web application security. By raising awareness, prioritizing risks, integrating security into the development process, ensuring compliance, and assessing talent, organizations can significantly reduce their vulnerability to cyber threats.

For tailored solutions related to integrating the OWASP Top 10 into your business security strategy, consider consulting with an expert from Ampcus Cyber.

Enjoyed reading this blog? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn.