The Open Web Application Security Project (OWASP) recently updated its top 10 list of the most critical security risks to web applications after 4 years. It represents the most radical shake up since the list was introduced in 2003. The changes will undoubtedly have a big impact on how businesses address application security going forward. This article will look at three of the most significant changes that have emerged in the new top 10 list.
New Methodology for Current and Future Threats
This time out OWASP took a more data driven approach to their research in order to get better insight into current and future threats. Members provided more than 1.5 million data points on the security threats they see. OWASP categorized the data and assigned an impact score before deriving their overall ranking.
OWASP also included survey data from security professionals about emerging threats. For example, the current incident rate of Server-side request forgery (SSRF) vulnerabilities is low, but security professionals consider this attack very seriously and expect it to increase significantly in the future. SSRF enables attackers to use vulnerable servers to request and receive data from protected internal sources, which is a very serious risk. So SSRF became a new category (A10:2021) this year.
With this new methodology, OWASP is now able to offer comprehensive insight into the most serious current and future threats.
OWASP 10 Expands Security to the Left
One key change in the new top 10 list is the inclusion of many categories (e.g, Insecure Design- A04:2021, Software and Data Integrity Failures- A08:2021) that recognize the industry has to start with better application design practices to improve security.
Many application vulnerabilities creep into software because secure design principles are not followed from the outset. In the race for faster app development corners are being cut. The CI/CD approach to application development is a major contributor to the use of plugins, libraries or software modules of dubious integrity. This problem is getting worse. Businesses must ensure that all their software components are from reputable sources and should use software supply chain tools to check for known vulnerabilities.
Major Ranking Changes Due to the Evolving Threat Landscape
Injections attacks, which have been ranked as the number 1 risk since 2003, is now ranked number 3. While this is welcome news, we cannot claim victory just yet. Your valuable data is still very much at risk from vulnerable apps that allow bad actors to run unauthorized commands and access the sensitive corporate information your business depends on.
Injection attacks have been replaced at the pinnacle of web app threats by Broken Access Control (A01:2021). OWASP reported that in their data set 94% of applications were tested for these vulnerability types and 3.8% showed one or more weaknesses. A staggering amount!
Due to the increased adoption of standardized authentication frameworks which are more readily available and easier to implement, Identity and Authentication Failures (A07:2021) has plummeted in the ranking from number 2 to number 7 as a risk.
It demonstrates that as businesses have improved their determination of who can access applications, they have neglected to enforce controls over what an individual user, process or device can do in that application. It is crucial to consider authentication and authorization together for a better security posture.
Still a lot of Work Ahead to Bring Left and Right Security Together
The 2021 OWASP top 10 list is a big step forward. OWASP’s expansion of security to the left with the inclusion of new categories and significant changes to their rankings will require businesses to revaluate their application security posture holistically. Addressing security earlier in the application development lifecycle will likely prevent many of the common attacks, but businesses must complement this with robust, proven and scalable security protections on the “right” like web application firewalls. It is not about just shift left, it is about expanded to left. You need both “left” and “right” security for a better multilayer security posture.