OWASP Top 10 2021 - The List and How You Should Use It

00:00

The OWASP Top 10 has developed into  an international security standard  

00:03

used by organizations across the globe.  But even organizations that use OWASP  

00:08

still end up as victims of cyberattack. So what  is the OWASP Top 10 and how should you be using it?

00:14

What do you need to know so it becomes your friend?

00:33

OWASP, or the Open Web Application Security  Project, was launched in 2003 to improve the  

00:39

security of software, notably web applications.  The OWASP Top 10 is a standard awareness document  

00:46

that represents a broad consensus about the  most critical security risks to web applications.  

00:52

Nearly all involved with OWASP are volunteers  and it is not affiliated with any technology  

00:57

company. This lack of commercial pressure  cements OWASP's claim of "unbiased, practical  

01:02

and cost-effective information about  application security." Or does it?

01:11

OWASP uses a community of  open source software projects,  

01:14

hundreds of local chapters worldwide, tens of  thousands of members and training conferences  

01:19

to compile their list of Top 10 risks. Data and  documentation is fed into a GitHub repository  

01:26

managed by OWASP after the Top 10 core team  release a data call. Industry contributors are  

01:31

also encouraged to participate in a survey. Once  the data is collected in GitHub, it is normalized  

01:38

and analyzed. Surveys are collected and reviewed. A  draft Top 10 list is then made using eight risks  

01:44

taken from the data and two from the survey. The  draft is released publicly and the editing process  

01:49

is recorded in GitHub. Once a public consensus  has been reached, the OWASP Top 10 is released.

01:59

Last updated in 2017, the new list  released on 24 September 2021  

02:04

featured changes in category order, category name  changes as well as some entirely new categories.  

02:10

Let's take a look at the 2021 list and explain  what the Top 10 categories actually mean.

02:19

Broken Access Control - up from number  five - has taken the top spot in 2021.  

02:24

This is an important change as it replaced  injection - largely seen as the most popular  

02:28

form of risk exploited by cybercriminals.  Broken Access Control allows attackers to  

02:34

bypass authorization safeguards and perform  tasks as if they were privileged users.  

02:39

Put simply, broken access control gives an  attacker the ability to expose sensitive data  

02:44

modify or destroy data, or perform pretty much any  network function. It is the holy grail of exploits.

02:55

Cryptographic Failures - previously called  Sensitive Data Exposure - is in at number two  

03:00

from number three. Cryptographic Failures  signifies a renewed focus by OWASP on failures  

03:06

related to cryptography. In essence, this category  exploits information transferred over secure  

03:11

communication between two parties, which often  provides an attacker with useful information  

03:16

in the post-exploitation phase, like  how to maintain persistent access.  

03:24

Injection - previously known as Cross-site Scripting  and considered the king of vulnerabilities -  

03:29

slid down to number three. Injection exploits  a vulnerable computer program by introducing  

03:34

code that changes the way a program executes. For  example, by injecting code into a web application  

03:40

an attacker can steal authentication  cookies and use them on other online  

03:45

services, tricking these services into  thinking that the attacker is you.

03:52

Insecure Design - a new category for the  2021 OWASP Top 10 - is in at number four. It  

03:58

was included as a firm call for developers to  include more security patterns and principles  

04:02

by design. This is an important consideration  when including a new application into your  

04:08

network infrastructure, especially given  the supply chain attack on SolarWinds  

04:11

and the effect it had on third-party service providers.

04:18

Security Misconfiguration - in at number five,  up from number six - was present in 90%  

04:23

of applications tested, not surprising  given the rise in highly configurable software.  

04:29

Security Misconfiguration is a failure to  implement all the security controls for a  

04:34

server or web application, or implementing  security controls but with errors. Everyone  

04:39

makes mistakes and security misconfigurations  occur through a broad range of human errors:  

04:44

misinterpreting a system implementation;  not changing default logging credentials;  

04:49

a lack of computer skills; or, mistakes  made under time pressure, for example.

04:56

Vulnerable and Outdated Components -  previously known as Using Components  

05:00

with Known Vulnerabilities - is up at number  six, from number nine. By OWASP's own admission,  

05:05

this category is difficult to test, but  featured highly in the community survey  

05:09

therefore contributing to its recent rank.  Vulnerable and Outdated Components includes  

05:14

operating systems, web or application  servers, database management systems,  

05:19

apis, and all components runtime environments  and libraries that are vulnerable,  

05:24

unsupported, or out of date. An adversary only  needs to find one vulnerable component to  

05:29

compromise a system. The problem is approximately  18,000 new vulnerabilities are found  

05:34

each year, so protecting against known  vulnerabilities is an ongoing process.

05:42

A new name given to Broken Authentication,  Identification and Authentication Failures  

05:47

comes in at number seven, down from number two - a  good sign that standardized frameworks are helping.  

05:52

broken authentication referred to the compromise of passwords,  

05:56

keys, session tokens, user account information  and other details to assume user identities.  

06:02

The new position of Identification and  Authentication Failures shows that procedures  

06:06

like MFA are integral in authenticating key  information, like usernames and passwords.

06:15

Another new category, Software and Data Integrity  Failures comes in at number eight, focusing on  

06:20

software updates, critical data, CI/CD pipelines  and includes Insecure Desterilization from 2017.  

06:28

This new category relates to code and  infrastructure that does not protect against  

06:32

integrity violations. An example of this is where  an application, like Wordpress, relies on plugins  

06:38

from untrusted sources one compromise plugin  can give an attacker access to your application.

06:47

Previously categorized as Insufficient  Logging and Monitoring, Security Logging  

06:51

and Monitoring Failures comes in at number nine,

06:53

up from number 10. Although admittedly hard to  test for due to a lack of representation in CVE/CSS data,

07:01

Security Logging and Monitoring Failures  can seriously impact visibility and forensics.

07:09

Lastly, at number 10, Server-side Request Forgery  is another new addition due to its position as  

07:14

number one in the community survey, indicating  strong feedback from the security community  

07:18

that it is an important risk but not illustrated  in the data collected. Server-side Request Forgery  

07:24

is a type of exploit where an attacker abuses the  functionality of a server causing it to access or  

07:29

manipulate information that would otherwise  not be directly accessible to the attacker.

07:38

The OWASP Top 10 is the go-to listing for anyone  concerned with raising their awareness of top  

07:43

risks. The addition of survey considerations  as well as pure statistical data means that  

07:48

OWASP does not solely rely on data collected by  automated tests. Where possible, the categories  

07:54

are ranked given three main considerations  exploitability likelihood and technical impact.

08:00

However, OWASP themselves claim that it is a  baseline - a "pseudo standard" even - for compliance,  

08:05

education and vendor tools. As an awareness  document, it is regarded as the bare minimum  

08:10

reference for standards of coding, code reviews,  peer reviews, tool support and penetration testing.  

08:17

Being focused on AppSec means that many of the Top  10 findings cannot be easily tested for in-house.  

08:23

Being a voluntary service means that participants  releasing information publicly do so theoretically,  

08:28

without the experience of a real world attack. If  you're keen to hear more about OWASP's Top 10 list, 

08:34

keep an eye out for our next video which compares  OWASP's findings with our own list of Top 10 risks.  

08:40

The risk is real. Defend with Cyber Citadel.