What is the Open Web Application Security Project (OWASP)

The Open Web Application Security Project ® (OWASP) is a nonprofit foundation that works to improve software security. Their community-led open-source software projects, hundreds of local chapters worldwide, tens of thousands of members globally, and leading educational and training conferences, have made the Open Web Application Security Project Foundation the de facto source for developers and technologists to secure the web. 

The OWASP website contains a wealth of contributed information and resources. This includes online chats, projects, tools, videos, forums, and events. Believing that accessibility makes security better, the Open Web Application Security Project provides users all their information free of charge.

What is the OWASP Top 10 List?

Part of OWASP’s mission is to identify the most critical security risks to web applications. Based on global industry input, OWASP releases a Top 10 list of the most critical vulnerabilities every few years. By consolidating data and the experience and knowledge of security experts from all around the world, the Open Web Application Security Project provides users with reliable information. Software developers, security teams and business owners are advised on risks to be aware of, and how to remediate them.

The OWASP Top 10 List ranks web application risk categories based on data, including the number of weaknesses and vulnerabilities mapped, the frequency at which they occur, and magnitude of the impact. The ranking also takes into consideration the experience and opinions of application security and development professions by allocating two spots on the list based on the results of a community survey. This ensures that the Top 10 list encapsulates the latest threats based on input from front-line experts and not historic data alone.

Why is the OWASP Top 10 list important?

Businesses are developing and updating web applications at astounding speeds to satisfy the evolving needs of end-users. This usually comes at the cost of security. Today, web application vulnerabilities provide attackers with many of the entry points from which to breach a network and launch attacks. Web application security is therefore paramount to preventing unwanted business impacts or losses. The list provides users with actionable information serving as a checklist and an internal web application development standard for the biggest and most successful organizations around the globe. 

In addition to its utility for businesses and large organizations, auditors refer to the OWASP Top 10. They assess whether an organization’s operations have implemented the recommendations in the list, as adherence to the OWASP Top 10 List indicates an organization’s commitment to cybersecurity. Integrating the OWASP Top 10 into an organization’s software development life cycle (SDLC) also reveals how much time and effort is invested into properly protecting its employees, clients, and data.

The OWASP Top 10 list is so important, that the credit card industry built their mandatory Payment Card Information - Data Security Standard (PCI-DSS) around it.

What’s on the latest OWASP Top 10 List? 

Since the publication of the first edition in 2003, the OWASP Top 10 has been revised six times – in 2004, 2007, 2010, 2013, 2017, and most recently in 2021. 

Here is the 2021 version of the OWASP Top 10 List: 

1. A01:2021-Broken Access Control
2. A02:2021-Cryptographic Failures 
3. A03:2021-Injection 
4. A04:2021-Insecure Design 
5. A05:2021-Security Misconfiguration 
6. A06:2021-Vulnerable and Outdated Components 
7. A07:2021-Identification and Authentication Failures 
8. A08:2021-Software and Data Integrity Failures 
9. A09:2021-Security Logging and Monitoring Failures 
10. A10:2021-Server-Side Request Forgery 

To help you better understand what each risk entails, here are brief explanations and examples of the 2021 OWASP Top 10 List. 

1.A01:2021-Broken Access Control

Broken Access Control are vulnerabilities in the access controls of web applications. These vulnerabilities allow hackers to gain unauthorized access to applications and conduct malicious activities, such as data disclosure, modification, and destruction. High-performance web application firewalls (WAF) and zero-trust network access (ZTNA) solutions can help mitigate access control failures.

Previous position: Previously number five on the 2017 edition, broken access control has moved right up to the top of the list. 

2.A02:2021-Cryptographic Failures 

Cryptographic Failures are vulnerabilities in the techniques used to secure data in transit and at rest. For example, data may be automatically decrypted when retrieved by an application from a database. Cryptographic failures can result in the leakage of highly sensitive information, such as passwords, credit card details, and health records.

Previous position: Cryptographic Failures was previously number three on the 2017 OWASP Top 10 list as Sensitive Data Exposure. 

3.A03:2021-Injection

Code injections occur when hackers send invalid data to a web application. The purpose of this is to attempt to make the application do something that it wasn’t designed to do.

Previous position: Injection has moved down the list from number one to number three since 2017. 

4.A04:2021-Insecure Design 

A new addition to the 2021 OWASP Top 10, Insecure Design refers to missing or ineffective control design of web applications. Insecure Design is commonly caused by the failure to determine the security requirements of an application due to inadequate risk profiling before development. A comprehensive security assessment can help you identify weaknesses in the security design of applications.

Previous position: Insecure Design is a brand-new category in the 2021 OWASP Top 10 List.

5.A05:2021-Security Misconfiguration 

Security Misconfiguration are configuration errors and weaknesses in a web application’s infrastructure. For example, an application server that has directory listing enabled or returns detailed error messages may reveal vulnerabilities to an attacker. Attackers can leverage these new-found vulnerabilities to launch attacks. 

Previous position: Security Misconfiguration has moved up one spot from number six on the list. 

6.A06:2021-Vulnerable and Outdated Components 

Vulnerable and Outdated Components have become more of an issue in recent years and includes both known and potential security risks. It requires components with known vulnerabilities to be fixed while malicious or stale components should be evaluated for any new security breaches that they may introduce. 

Previous position: Previously at number nine on the 2017 list, this category has moved up three places.

7.A07:2021-Identification and Authentication Failures 

Identification and Authentication Failures refer to situations in which authentication and session management are missing or implemented incorrectly. Failures include the lack of credential stuffing protection and multi-factor authentication and the use of weak passwords and credential recovery processes. Attackers can leverage these weaknesses to gain unauthorized access to stage an attack. 

Previous position: This category used to sit at number two as Broken Authentication and has dropped significantly since 2017, reflecting an improvement in identity and authentication management solutions. 

8.A08:2021-Software and Data Integrity Failures 

Software and Data Integrity Failures refer to the weak integrity verification of software updates, critical updates, and CI/CD pipelines of web applications. Attackers can exploit these to gain unauthorized access, write malicious code, and compromise systems. For example, attackers can distribute their malware by injecting software updates with malicious code.

Previous position: This is a brand-new entry on the 2021 list. 

9.A09:2021-Security Logging and Monitoring Failures 

Security Logging and Monitoring Failures refer to the insufficient or lack of logging and monitoring of web application activity, such as logins, failed logins, and high value transactions, and application APIs. This results in the inability or untimely detection of security breaches.  

Previous position: Security Logging and Monitoring Failures used to be at number 10 on the 2017 OWASP Top 10 List.

10.A10:2021-Server-Side Request Forgery (SSRF)

Server-Side Request Forgery occurs when a web application attempts to retrieve a remote resource without having validated the user-supplied URL. As a result, hackers can send out crafted requests from the application to various destinations. Unfortunately, in cases of SSRF, a firewall or VPN may not provide enough protection. 

Previous position: This is a brand-new category. SSRF attacks are on the rise because modern web applications offer many features that make URL requests. 

Final thoughts on Open Web Application Security Project

The Open Web Application Security Project provides software developers, end-user organizations and security teams with important and valuable resources to protect their data and systems from malicious activity. With the regular updates of the OWASP Top 10 List, organizations should ensure that they are always in tune with these changes to adhere to the industry’s best practices.

If you have any questions about the Open Web Application Security Project or about cyber security in general, do not hesitate to get in touch with a specialist from Sangfor. We help businesses take care of all cyber security matters with cutting-edge solutions such as firewalls, network detection & response, endpoint security, and more so that you can focus on what you do best.