Home Web app OWASP Shakes Up Web Application Threat Categories with Release of Draft Top 10

OWASP Shakes Up Web Application Threat Categories with Release of Draft Top 10



The Top 10 List is a widely used guide to modern web application security threats

The Open Web Application Security Project (OWASP) has released its draft 2021 Top 10 list revealing an upheaval in how modern threats are categorized.

In an announcement yesterday (September 8), the OWASP noted the draft Top 10 Web Application Security Threats for 2021 has been released for “peer review, comment, translation, and suggestions for improvements.”

The draft report, available for viewing online, contains significant changes in how the nonprofit categorizes current web application threats, which have not been updated since 2017.

State of play: OWASP Top 10 changes in 2021 (preview)State of play: OWASP Top 10 changes in 2021 (preview)

Dig into the Top 10 project

There are three new categories: “Insecure Design”, “Software and Data Integrity Failures” and a group for “Fake Server Side Request (SSRF)” attacks.

The “XML External Entities (XXE)” section of 2017 has been added to the Misconfiguration Security category of 2021, “Cross-Site Scripting (XSS)” has been added to the “Injection” and “Insecure Deserialization” section is now part of ‘Software and Data Integrity Failures’.

The OWASP has also renamed several categories to match the scope changes.

Learn about the latest security vulnerability news and analysis

When the organization analyzes threat information provided by cybersecurity companies, specific data factors are used to generate the Top 10 list. These include Common Weakness Enumeration (CWE) software and hardware mapping, the percentage of applications vulnerable to a particular CWE and their coverage in organizations.

The OWASP also takes into account the weighted exploit and average metrics of a vulnerability, based on the CVSSv2 and CVSSv3 scores, and the total number of applications with CWE mapped to a category, as well as the total number of VECs attributable to a particular type of threat.

Top 10 OWASP: The Complete List

1.A01: 2021-Access control interrupted: 34 CWE. Access control vulnerabilities include elevation of privilege, malicious URL modification, access control bypass, CORS misconfiguration, and primary key tampering.

2.A02: 2021-Crypto failures: 29 CWE. This includes security failures when data is in transit or at rest, such as implementation of weak cryptographic algorithms, poor or lax key generation, failure to implement encryption or verify certificates, and unencrypted data transmission.

3.A03: 2021-Injection: 33 CWE. Common injections impact SQL, NoSQL, operating system control, and LDAP, and can be caused by cleanup failures, XSS vulnerabilities, and lack of file path protection.

4.A04: 2021-Insecure design: 40 CWE. Insecure design elements vary widely, but are generally described by OWASP as “missing or ineffective control design”. Areas of concern include a lack of protection of stored data, problems with logic programming, and the display of content revealing sensitive information.

5.A05: 2021-Incorrect security configuration: 20 CWE. Applications can be considered vulnerable if they lack security hardening, if there are unnecessary features – such as an open hand when it comes to privileges – if default accounts are kept active, and if security features exist. are not configured correctly.

6.A06: 2021-Vulnerable and obsolete components: Three CWE. This category focuses on client-side and server-side components, component maintenance failures, outdated support systems – such as an operating system, web servers, or libraries – as well as component misconfiguration.

7.A07: 2021-Identification and authentication failures: 22 CWE. Security concerns include improper authentication, session fixation, certificate inconsistencies, authorization of weak credentials, and a lack of protection against brute force attacks.

8.A08: 2021-Software and data integrity failures: 10 CWE. Integrity is the focal point of this category, and any failure to do it correctly, such as deserializing unreliable data or failing to verify code and updates when pulled from a remote source, can to be taken into account.

9.A09: 2021-Security logging and monitoring failures: Four CWE. Problems that may hamper the analysis of a data breach or other form of attack, including logging issues, failure to record security-related information flows, or logging of security-related information. data only locally falls under this category.

10.A10: 2021-Fake server side request: A CWE. SSRF vulnerabilities occur when a server does not validate URLs submitted by users when they retrieve remote resources. OWASP says the adoption of increasingly complex cloud services and architectures has increased the severity of SSRF attacks.

Analysis: OWASP moves to the left

The additions of ‘Insecure Design’ and ‘Software and Data Integrity Failures’ show how the entire software industry continues to ‘veer to the left’ with more emphasis on design and development. ‘secure architecture as well as threat modeling,’ Tom Eston, Practice Director of Application Security at Bishop Fox said The daily sip.

“Often, secure design and threat modeling are overlooked due to the speed of modern development. It’s also great to finally see OWASP calling software integrity and CI / CD pipeline security as another area of ​​focus.

RELATED Google and Mozilla lay the groundwork for a “post-XSS world”

OWASP has also updated the methodology used to generate the Top 10 list. Eight out of 10 categories are based on data, and two were selected based on responses from industry surveys.

“AppSec researchers take time to find new vulnerabilities and new ways to test them,” the organization explains. “It takes time to integrate these tests into tools and processes.

“By the time we can reliably test large-scale weakness, years have probably passed. To balance this point of view, we use an industry survey to ask people on the frontlines what they see as critical weaknesses the data may not yet show. “

It should be noted that once cybersecurity experts and peers provide feedback, this list may be subject to change.

Positive responses

OWASP Top 10 co-lead Brain Glas told us that the project initially received a lot of positive responses, although he expects “a small number of people who disagree with the project. current project.

“This is a complex industry and subject, people can have a wide range of backgrounds and backgrounds. For some, the Top 10 project will align with their experience and perceptions, for others not and I expect it [will] likely [be] some minor changes as we process the comments and polish the draft ”- although that is not yet set in stone.

Andrew van der Stock, Executive Director of OWASP, added: “In this version we’re trying to give advice on how people actually use it. In the 2007 and 2017 versions, I wrote that this is an awareness document and no more. But that’s not how people use it.

“If the OWASP Top 10 were a game, the majority of uses would be seen as unintended emergent gameplay but welcomed by the authors. So this time around, we’ve chosen to say how to best use it as an informal standard and as the very beginning of an AppSec program.

OWASP also thanked organizations such as AppSec Labs, GitLab, Cobalt.io, HackerOne and Veracode, among others, for providing connected data to over 500,000 applications.

The nonprofit says these contributions have amassed “the largest and most comprehensive application security dataset” to date.

Along with the draft report, an “extra surprise” will be published on September 24. The OWASP hopes that the next installment will be sooner than the four years required for this publication, still delayed due to Covid-19.

YOU MAY ALSO LIKE Machine learning technique detects phishing sites based on markup visualization



Please enter your comment!
Please enter your name here