The definitive OWASP Top 10 2021 list is out, and it shows that broken access control is currently the most serious web application security risk.
How is the list compiled?
“We get data from organizations that are testing vendors by trade, bug bounty vendors, and organizations that contribute internal testing data. Once we have the data, we load it together and run a fundamental analysis of what CWEs map to risk categories,” the Open Web Application Security Project (OWASP) explains.
“This installment of the Top 10 is more data-driven than ever but not blindly data-driven. We selected eight of the ten categories from contributed data and two categories from the Top 10 community survey at a high level.”
The reason for leaving space for direct input from application security and development experts on the front lines is the fact that it takes time to find ways to test new vulnerabilities, and they can offer knowledge on essential weaknesses that the contributed data may not show yet.
The list is then published so that it can be reviewed by practitioners, who may offer comments and suggestions for improvements.
OWASP Top 10 2021: What has changed in the last 4 years?
According to OWASP (and as it can be seen above), there are three new categories in this most recent version of the OWASP Top 10 list: Insecure Design, Software and Data Integrity Failures, and Security Logging and Monitoring Failures.
“A new category for 2021 focuses on risks related to design and architectural flaws, with a call for more use of threat modeling, secure design patterns, and reference architectures. As a community we need to move beyond ‘shift-left’ in the coding space to pre-code activities that are critical for the principles of Secure by Design,” OWASP noted.
The Software and Data Integrity Failures category includes failures related to software updates (insufficient integrity verification), critical data, and (insecure) CI/CD pipelines.
Security Logging and Monitoring is critical for detecting, escalating, and responding to active breaches.
Some other categories have been renamed (to focus on the root cause over the symptom) and rescoped, and some have been consolidated.
The final list is as follows:
- A01:2021-Broken Access Control
- A02:2021-Cryptographic Failures
- A04:2021-Insecure Design
- A05:2021-Security Misconfiguration
- A06:2021-Vulnerable and Outdated Components
- A07:2021-Identification and Authentication Failures
- A08:2021-Software and Data Integrity Failures
- A09:2021-Security Logging and Monitoring Failures
- A10:2021-Server-Side Request Forgery
OWASP explains each category in detail, with examples of attack scenarios, references, lists of mapped CWEs and tips on how to prevent vulnerabilities from that class.
The project also advises organizations on how to use it (as a baseline”) for starting an application security program.
“The OWASP Top 10 gives us a powerful snapshot of how far the appsec has come – and how far we still need to go. Half of the categories in the new list have appeared in every single list since 2003 in some shape or form, so 18 years of technological developments, experiments and learnings has not been enough to remedy these flaws. This means we need to change our approach to application security,” Sean Wright, Principal Application Security Engineer at Immersive Labs, told Help Net Security.
“The inclusion of ‘failures’ for the first time suggests to me that our approach to date is missing a vital piece of the puzzle: the people behind the screens. We need to empower developers to bake security into their design, code, and support efforts, and equip teams with the knowledge to effectively utilize technologies to deliver more secure applications. This is about giving people and technology the best chance to work together if we want to reduce the impact and spread of the vulnerabilities we see over and over again. Adopting a hybrid human/technology approach to resolving these vulnerabilities will put us in a powerful position to elevate application security and, hopefully, resolve some of the most impactful issues from the last two decades. Once we’ve taken steps to achieve this, I feel confident that we’ll start seeing less of the same thing in future OWASP Top 10 lists.”