Software security is a challenge of enormous proportions because every critical function of our lives is now dependent on software. Insecure software not only causes inconvenience but, more importantly, can critically affect an organization.
One of the foremost champions of web software security is The Open Web Application Security Project (OWASP), which is also known for its OWASP top 10 list of vulnerabilities that it publishes every year. OWASP is a not for profit foundation with the core aim of improving software security.
OWASP is run on the model of open community which means that it is free not only in terms of who can contribute to its projects but also its tools, events and learning materials are free. Its most popular and well known product is OWASP top 10 list. Currently the list was last updated in 2021.
What is the OWASP Top 10 List?
As I said earlier, OWASP top 10 list is a document that is created by OWASP which is a reference document listing the most critical vulnerabilities affecting the web applications.
Because of the open nature of OWASP itself, the OWASP to 10 list is result of an agreement among the leading information security experts. The ranking of the risks is determined based on the likelihood/frequency of the risks being exploited, how severe the vulnerabilities are and the size of potential impact if these vulnerabilities were successfully exploited.
The reason behind compiling this top 10 list of web security vulnerabilities is to provide guidance to relevant web developers and information security professionals to take into account these and adopt suitable security practices to minimize these risks while developing web applications.
How does OWASP Top 10 list work
OWASP top 10 list is important because it provides one stop for the most important security vulnerabilities that organizations need to take care of, which becomes easier because OWASP also provides actionable information. This list has become defacto reference standard for securing web application development and many of the top tier organizations follow this.
Information Systems auditors should also be aware of these vulnerabilities and be alert to any indications that the organization is not addressing these gaping security holes listed in the OWASP top 10 list. A failure to address these vulnerabilities also should give pointers to the auditor that the organization may fail on compliance standards that it may be subject to.
The list was first released in 2003 and is updated every few years. The latest update was in 2021. The updates reflect the changing landscape and dimensions of the web security challenges identified and encountered by majority of the information security professionals.
Auditors often view an organization’s failure to address the OWASP Top 10 as an indication that it may be falling short with regard to compliance standards. Integrating the Top 10 into its software development life cycle ( SDLC ) demonstrates an overall commitment to industry best practices for secure development.
Latest OWASP Top 10 categories?
Below are the Top 10 Web Application Security Risks. As a result of 2021 update, three new categories have been added, and names of four categories have been changed.
1-Broken Access Control
Access control is fundamental security control for any software. A broken access control or misconfigured access control can critically affect the security of any application. This has been ranked as the number one security vulnerability and has moved four places up. Previously, it was at 5th position.
As per OWASP analysis, 94% of web applications had to be tested compromised or broken access controls of the web applications. The 34 Common Weakness Enumerations (CWEs) that are relevant to the Broken Access Control were found to in applications more than the other 9 categories of the list.
This has shifted one position up from previous third position. This vulnerability has also seen its name change. Previously it was called Sensitive Data Exposure. OWASP has noted that data exposure is one of the symptoms of Cryptographic Failure and the root cause in itself. Hence the name change to appropriately reflect the category.
Cryptographic controls are instituted for protecting sensitive data. And compromised cryptography would essentially mean that critical data might be exposed and may eventually lead to system wide compromise.
Injection of unauthorized code into web application to bypass security controls has been in existence as a vulnerability for many decades now. Cross site scripting, which previously existed as a separate category of the OWASP top 10 list has now been merged with Injection.
According to OWASP, 94% of the applications were tested for some form of injection. Moreover, the 33 CWEs which are related to this category are frequently spotted in applications, which is the second most occurrence.
The 2021 update has seen this newly introduced category. The design flaws at the time of software development are the focus of this category. OWASP advocates that for securing software applications it is important that security remains pivotal at design stage by following principles of secure software design, threat modeling and reference architectures that have embedded best practices for secure software design.
Since web applications and the underlying technologies are envisaged for diverse use cases, therefore, the developers provide for configuring security parameters according to different environment. However, any production ready web application needs to have strong security configuration. According to OWASP, “90% of applications were tested for some form of misconfiguration.”
Since, the paradigm is shifting towards highly configurable applications, the security misconfiguration has evolved to become a serious challenge and risk for software. XML External Entities (XXE) which was previously a separate category, has now been merged with this category of security misconfiguration.
6-Vulnerable and Outdated Components
This category was previously called Using Components with Known Vulnerabilities. This has jumped from 9th position to 6th in OWASP top 10 list 2021. In fact the Top 10 Community Survey conducted by OWASP listed it at number 2 position.
Unpatched and unsupported software is classified as a big risk by all information security experts and agencies. was previously titled Using Components with Known Vulnerabilities and is #2 in the Top 10 community survey, but also had enough data to make the Top 10 via data analysis.
7-Identification and Authentication Failures
This category was named Broken Authentication in previous version and has come down to 7th position from its previous 2nd position. Though it is still part of OWASP top 10 list, but it has seen its importance siding down because of the increased availability of standardized frameworks that appear to help with secure software design to handle identification and authentication in a standardized fashion, taking care of the related security controls.
8-Software and Data Integrity Failures
This is a new category that has been introduced in 2021 which alerts us to the importance of testing integrity of the pipelines providing updates and the provided updates before applying these patches and updates.
The reason is how updates and patch systems of some of the biggest names in the software industry were compromised, which led to tainted patches pushed to the production systems and their resultant compromise. Insecure Deserialization from 2017 list has also been merged with this new category.
9-Security Logging and Monitoring Failures
This category was previously named as Insufficient Logging & Monitoring and is added from the industry survey (#3), moving up from #10 previously. Not enabling logs and not reviewing logs degrade the monitoring capacity. At the same time disabling security logging would lead to absent or delayed incident alerts, impaired forensic evidence and help after an incident and impact visibility.
10-Server-Side Request Forgery
This a newly evolving category which has been included based on the results of the Top 10 community survey. OWASP states that this category is introduced because community of security experts have voiced their serious alerts for this though the category incidence rate is still low and testing coverage is above average. However, impact potential and exploits is are serious and above average.
How to patch top 10 security vulnerabilities
Software vulnerabilities, when exploited, can be extremely costly and inconvenient. Huge data sets and industry secrets are stolen as a result of breaches of web applications. And the bigger a company is, more it will be under scrutiny of hackers.
Though, all the breaches can not be linked with the OWASP top 10 list, but the list definitely provides us with the biggest and most gaping holes that are prime targets for hackers. Security can never be completely impenetrable but it is all logic to close the visible holes and ensure locks where possible.
For example, if you leave your car windows open with keys of the car on the seat, even the best of the security alarm system might fail because it provides initial and easy door for breaching the alarm system itself.
Similarly, if you do not block the basic issues like session hijacking, cross site scripting or SQL injection, then you should not be worrying much about the zero day exploits. First priority should be plugging the possible holes.
A good starting point could be to introduce a security culture in the organization. Train everyone, even the non-tech staff for awareness against social engineering and for basic information security hygiene.
The developers need to be trained on secure software development principles and the product should be subjected to security testing, pre and post deployment penetration testing and fuzz testing. System administrations and network administrators should also be doing their job related to backend security optimization.
At the very minimum, the developers should be trained and made aware of OWASP top 10 list to help them have a reference guide for securing software while it is being built.