Open Web Application Security Project (OWASP) is a non-profit organization that aims to improve software security. It is a one-stop shop for individuals, enterprises, government agencies, and other global organizations seeking failure and real-world knowledge regarding application security.
With cybercrime on the rise, distributed denial-of-service (DDoS) assaults, faulty access control, and data breaches occur frequently. The OWASP Foundation developed the OWASP Top 10 to help avoid these security concerns. It is a ranking of the ten most severe security dangers to contemporary online applications, sorted by perceived importance. OWASP’s last “Top 10” list was published in 2017, which was recently updated in Q4 of 2021.
OWASP revised list of the top 10 vulnerabilities for enterprises in 2021, five years after its last publication. This article explains the 10 prevalent vulnerabilities as listed by OWASP and are most likely to devastate enterprises in the next half a decade or so;
1. Broken access control
2. Cryptographic failures
3. Injections
4. Insecure design
5. Security misconfigurations
6. Vulnerable and outdated components
7. Identification and authentication failures
8. Software and data integrity failures
9. Security logging and monitoring failures
10. Server-side request forgery (SSRF)
1. Broken access control
Access control implements strategies to prevent users from operating beyond the scope of their specified permissions. Due to access vulnerabilities, unauthenticated or unwanted users may access classified data and processes and user privilege settings.
Metadata manipulation, including tampering or replaying with a JSON web token (JWT) access control token, or modifying cookies or hidden fields to boost privileges or exploit JWT invalidation, is an example of an access control vulnerability. A second example is a breach of the principle of denial by default. Access must be granted only to specific roles, capabilities, or users but is accessible to everyone. Such errors may make it simple for attackers to get access to everything they want.
Taking precautions such as disabling administrator accounts and restrictions and installing multi-factor authentication. Enforce access control mechanisms only once and reuse them for the duration of the application to reduce cross-origin resource sharing (CORS), Domain models should impose distinct application business limit constraints, Limit access to application programming interfaces (API) and controllers to mitigate the effects of automated attack tools, Log failures in access control and alert administrators as required.
2. Cryptographic failures
Cryptographic failures, formerly known as sensitive data exposure, rose one spot to position two. This is more of a symptom than a primary cause; the emphasis here lies on cryptographic errors or lack thereof, which frequently expose sensitive data. The following are typical examples of sensitive information exposure:
Session tokens
Login IDs and passwords
Online transactions
Personal information
You should use robust, salted and adaptive hashing algorithms with a delay factor to store passwords, like scrypt, Argon2, PBKDF2 or bcrypt. Older protocols such as file transfer protocol (FTP) and simple mail transfer protocol (SMTP) should be avoided when transferring sensitive data. Instead of merely using encryption, it is advisable to implement authenticated encryption.
3. Injections
Injection (or SQL injections) is a database attack against a website that uses structured query language (SQL) to obtain information or perform activities that would ordinarily need an authenticated user account. These codes are difficult for the program to interpret from its own code, allowing attackers to conduct injection attacks to gain access to protected areas and sensitive data masquerading as trusted users. Injections include SQL injections, command injections, CRLF injections, and LDAP injections, etc.
With a maximum estimated incidence of 19 percent, an average rate of incidence of 3 percent, and 274,000 instances, 94 percent of the applications were screened for injections. As a result, Injection fell to the third position in the revised list.
A preferable alternative is to employ an API that completely eschews the interpreter, offers a parameterized API, or translocates to object-relational mapping (ORM) instruments.
Utilizing positive server-side validation input is recommended. Numerous applications, including text fields and APIs for mobile apps, necessitate special characters.
Utilizing LIMIT and other SQL constraints inside queries is a great way to avoid massive data exposure in the case of a SQL injection.
4. Insecure design
This is a brand-new category for 2021 that focuses on the design and architectural flaws, with a need for greater use of threat modeling, design safety recommendations, and reference architectures. Insecure design is a wide category that contains a variety of problems, such as .”missing or inadequate control design.” That does not imply that insecure design is the root of all other top 10 risk categories.
Insecure design is not the same as insecure implementation. Implementation flaws can lead to vulnerabilities, even when the design is secure. On the other hand, a flawed design cannot be compensated for by a flawless implementation as necessary security safeguards do not exist to defend against specific threats.
One can avert these threats by employing the following prevention techniques:
Set up and use a secure development lifecycle with the assistance of AppSec specialists to evaluate and build security and privacy safeguards.
Threat modeling is advised for crucial verification, access control, application logic, and essential flows.
5. Security misconfigurations
General security setup issues, quite like misconfigured access controls, pose significant hazards by providing attackers with quick and easy access to critical data and site regions.
With an average rate of incidence of 4% and over 208,000 occurrences of a common weakness enumeration (CWE) in this category, OWASP checked 90% applications for misconfiguration. “CWE-16 configuration” and “CWE-611 improper restriction of XML external entity reference” are two notable CWEs included.
6. Vulnerable and outdated components
The majority of online apps are created with the help of third-party frameworks. Unknown application codes may result in undesirable outcomes and unwanted situations such as accent control violations, SQL injections, etc.
If the program is insecure, unsupported, or outdated, there may be vulnerability-related hazards. The package includes the application/web server, operating system, applications, database management system (DBMS), APIs, other elements, libraries, and runtime environments.
It is best to purchase components from official sources through secure channels. Keep a lookout for modules and elements that are not functional or do not provide security updates for older versions. If patching cannot be carried out, consider developing virtual patches to observe, identify, or safeguard against the observed vulnerability.
7. Identification and authentication failures
This category, formerly known as broken authentication, dropped from second place and now contains CWEs linked to identification problems. When an attacker obtains user information, password recovery, ID sessions, and other login credentials, it poses security issues. As the name implies, an identity and authentication failure includes hackers exploiting such vulnerabilities to take advantage of inadequate authentication.
If the application permits automated assaults like credential stuffing — when the attacker has access to lists of real users and passwords — or predefined, weaker, and common passwords such as “123456” or “admin/admin,” these could be signs of authentication flaws.
Multi-factor authentication must be used wherever feasible to avoid automated credential stuffing, brute-force attacks, and the reuse of stolen credentials. By checking new or modified passwords against a database of the 10,000 worst passwords, it is possible to boost password security.
8. Software and data integrity failures
This is a new category, and it focuses on assuming the integrity of software updates, vital data, and CI/CD procedures without verifying them. One example is when applications use extensions, modules, or repositories from content delivery networks (CDNs) or unauthorized sources. A continuous integration/continuous delivery (CI/CD) process that is not protected might raise the risk of malicious code, system compromise or unauthorized access.
Prevention techniques include:
It is necessary to guarantee that the CI/CD workflow has the required segmentation, access control, and parameterization to safeguard the code integrity throughout the set up and deploy operations.
Compilation data that is unsigned or unencrypted should not be sent to untrusted clients unless integrity testing or a digital signature is in place to identify data alteration or duplication.
9. Security logging and monitoring failures
A lack of tracking in the presence of suspicious actions and occurrences can expand gaps in time that go unmonitored, allowing security breaches to go unnoticed for longer than they would with better logging. This OWASP Top 10 2021 section is meant to aid in the identification, escalation, and resolution of recent breaches. Detection of a security breach is unlikely without recording and monitoring.
A major European airline had a notifiable General Data Protection Regulation (GDPR) incident to illustrate this failure. Intruders presumably exploited payment application security flaws to gain data of over 400,000 consumer payments. In response, the privacy authorities fined the airline 20 million pounds for the misplaced data.
To avoid such attacks, it is wise for users to:
Verify that all authentication, access security systems, and server-side data validation problems are recorded with sufficient user information to detect suspicious or fraudulent accounts and stored for an adequate period to a delayed comprehensive investigation.
Make sure that logs are created in formats consumable by log management systems.
10. Server-side request forgery (SSRF)
The results for this category reveal an above-average testing coverage, reasonably low incidence rate, and above-average Impact and Exploit ratings. SSRF develops when server-side queries are conducted without verifying the URL given by the user. This allows an attacker to induce an application to transmit a forged request to an undesired location, even if it is protected by virtual private networks (VPN), firewalls, or network access control list (ACL).
Fetching a URL has become a typical occurrence as new online applications give end-users convenient functionalities. Consequently, SSRF prevalence is increasing. In addition, the intensity of SSRF is growing due to cloud services and design complexity.
Conclusion
Collaboration with OWASP can help make applications more resistant to cyber threats, contribute to a more robust network and cloud encryption, raise the likelihood of application success, and dramatically improve the company’s cyber resilience. Thank you for your time, Like and leave a comment/review and as always, stay awesome! 👊 💪
