OWASP Top 10 2021 - The List and How You Should Use It
Summary
TLDRThe OWASP Top 10 is an influential international security standard that identifies the most critical web application risks. Updated in 2021, it prioritizes risks like Broken Access Control and Cryptographic Failures, reflecting a shift in cyber threats. The list is compiled through community input, surveys, and data analysis, offering unbiased, practical insights for enhancing application security. It serves as a baseline for compliance, education, and tool development, emphasizing the importance of secure coding practices and regular vulnerability assessments.
Takeaways
- 🌐 The OWASP Top 10 is an international security standard used globally to address web application security risks.
- 📈 Established in 2003, OWASP aims to enhance software security, particularly web applications, through unbiased and practical information.
- 🤝 The project is community-driven, with volunteers contributing to open source software projects, local chapters, and conferences.
- 📊 The Top 10 risks list is compiled using data from a GitHub repository, surveys, and community feedback.
- 🚀 As of the 2021 update, 'Broken Access Control' has become the top web application security risk, highlighting the importance of authorization safeguards.
- 🔐 'Cryptographic Failures', formerly 'Sensitive Data Exposure', is now the second most critical risk, emphasizing the need for robust cryptographic practices.
- 💡 'Injection', once the top vulnerability, is now third, showing that efforts to mitigate this risk have been somewhat successful.
- 🛠️ 'Insecure Design' is a new category in the 2021 list, urging developers to integrate security patterns and principles by design.
- 🔄 'Vulnerable and Outdated Components' is a challenge due to the high volume of new vulnerabilities discovered annually.
- 🔒 'Identification and Authentication Failures' has dropped in ranking, indicating that standardized frameworks like MFA are positively influencing security.
- 📈 'Server-side Request Forgery', a new addition, reflects the community's recognition of this risk despite it not being heavily represented in data.
- 📋 The OWASP Top 10 serves as a baseline for compliance, education, and tool development, and is a minimum reference for secure coding and security testing.
Q & A
What is the OWASP Top 10 and its purpose?
-The OWASP Top 10 is an international security standard developed by the Open Web Application Security Project (OWASP) to represent a consensus about the most critical web application security risks. It aims to raise awareness and provide unbiased, practical, and cost-effective information about application security.
How was the OWASP Top 10 list compiled for the 2021 release?
-The 2021 OWASP Top 10 list was compiled using data from open source software projects, local chapters, members, and training conferences. After a data call, industry contributors were encouraged to participate in a survey. The collected data was analyzed in a GitHub repository, and a draft list was created based on the findings. This draft was then publicly released and edited with community input on GitHub until a consensus was reached.
What is the significance of the change in the ranking of 'Broken Access Control' in the 2021 OWASP Top 10 list?
-The change in ranking of 'Broken Access Control' to the top spot in the 2021 list signifies its importance as it allows attackers to bypass authorization safeguards and perform tasks as if they were privileged users, potentially leading to exposure, modification, or destruction of data, and other network functions.
What does 'Cryptographic Failures' in the OWASP Top 10 list refer to?
-'Cryptographic Failures' refers to the exploitation of failures related to cryptography, which can compromise information transferred over secure communication. This can provide attackers with useful information for maintaining persistent access after exploitation.
How has the category 'Injection' evolved in the OWASP Top 10 list?
-The category 'Injection' has evolved from being previously known as 'Cross-site Scripting' and has slid down to number three in the list. It exploits vulnerable computer programs by introducing code that changes program execution, potentially allowing attackers to steal authentication cookies or trick services into impersonating users.
What is the new category 'Insecure Design' in the OWASP Top 10 list, and why was it included?
-'Insecure Design' is a new category for the 2021 OWASP Top 10 list. It calls for developers to include more security patterns and principles by design, especially considering the risks associated with including new applications into network infrastructures, such as the supply chain attack on SolarWinds.
What does 'Security Misconfiguration' mean in the context of the OWASP Top 10 list?
-'Security Misconfiguration' refers to the failure to implement all security controls for a server or web application, or implementing them with errors. It often results from human errors such as misinterpreting system implementations, not changing default credentials, or a lack of computer skills.
How does 'Vulnerable and Outdated Components' pose a risk in the OWASP Top 10 list?
-'Vulnerable and Outdated Components' include operating systems, servers, database management systems, APIs, and libraries that are vulnerable, unsupported, or out of date. An adversary only needs to find one such component to compromise a system, making it a significant risk given the high number of new vulnerabilities discovered each year.
What is the significance of the change in the category 'Identification and Authentication Failures' in the OWASP Top 10 list?
-The change in the category from 'Broken Authentication' to 'Identification and Authentication Failures' at a lower position indicates that standardized frameworks like Multi-Factor Authentication (MFA) are helping to mitigate the risk of compromised user identities.
What does 'Software and Data Integrity Failures' focus on in the OWASP Top 10 list?
-'Software and Data Integrity Failures' focuses on software updates, critical data, CI/CD pipelines, and includes Insecure Deserialization. It relates to code and infrastructure that does not protect against integrity violations, such as when an application relies on plugins from untrusted sources, potentially giving attackers access to the application.
How does 'Security Logging and Monitoring Failures' impact an organization according to the OWASP Top 10 list?
-'Security Logging and Monitoring Failures' can seriously impact visibility and forensics within an organization. Despite being difficult to test due to a lack of representation in CVE/CSS data, it is crucial for detecting and responding to security incidents effectively.
What is 'Server-side Request Forgery' and its significance in the OWASP Top 10 list?
-'Server-side Request Forgery' is a type of exploit where an attacker abuses server functionality to access or manipulate information that would otherwise not be directly accessible. Its addition to the list, based on community survey feedback, indicates that it is a significant risk, even if not always illustrated in the data collected.
Outlines
此内容仅限付费用户访问。 请升级后访问。
立即升级Mindmap
此内容仅限付费用户访问。 请升级后访问。
立即升级Keywords
此内容仅限付费用户访问。 请升级后访问。
立即升级Highlights
此内容仅限付费用户访问。 请升级后访问。
立即升级Transcripts
此内容仅限付费用户访问。 请升级后访问。
立即升级5.0 / 5 (0 votes)