The need for application security has never been greater. In a world where technology is ubiquitous and applications are key to day-to-day operations, organizations must protect their data against the threats of the ever-changing cybersecurity landscape. That’s why staying up-to-date on the latest tools and techniques is important to help organizations secure their applications. The Open Web Application Security Project (OWASP) Top 10 is a great resource to help organizations stay current and follow best application security (appsec) practices.
The OWASP Top 10 comprehensively lists the most critical web application security risks and their corresponding mitigation strategies. First launched in 2003, the OWASP Top 10 list is updated every three to four years as a way for organizations to benchmark their security vulnerabilities and better protect themselves from cyber threats. This article will highlight the changes in 2024’s OWASP Top 10 and compare them with the last update from 2021.
The list may change again during the OWASP conference in September of 2024.
What Is the OWASP Top 10 for 2024?
Here are the top 10 security risks for 2023:
- Broken Object Level Authorization
- Broken Authentication
- Broken Object Property Level Authorization
- Unrestricted Resource Consumption
- Broken Function Level Authorization
- Server-Side Request Forgery
- Security Misconfiguration
- Lack of Protection From Automated Threats
- Improper Assets Management
- Unsafe Consumption of APIs
How Often Is the OWASP Top 10 Updated?
The OWASP Top 10 is typically updated every three to four years. The schedule can vary depending on the emergence of new threats, changes in the security landscape, and the need for updated guidance. The most recent update was in 2021, with previous updates occurring in 2017, 2013, and 2010. The OWASP community actively monitors trends and vulnerabilities to ensure the list remains relevant and useful for developers and security professionals.
Currently, there is a conference scheduled in September 2024 to announce the latest changes.
Key Changes in the OWASP Top 10 in 2023
New Entries
The OWASP Top 10 for 2023 release candidate listed five new risks:
- Lack of Protection from Automated Threats: As automation technologies like bots and scripts become harder to detect and defend against, the risk of malicious attacks, such as distributed denial-of-service (DDoS) attacks, brute-force attacks, and credential stuffing attacks, increases. Automated attacks can cause serious security issues without effective protection, including data breaches, system downtime, and financial losses.
- Unsafe Consumption of APIs: While APIs can provide immense benefits, such as faster development time and increased agility, they also introduce new security risks if not properly managed or authenticated. Unsafe consumption of APIs can lead to data leakage, malicious code execution, and privilege escalation attacks.
- Broken Object Property Level Authorization: This new vulnerability focuses on the security of a system’s access control configuration and the ability to limit privileges at the object property level.
- Broken Function Level Authorization: This occurs when an application’s authorization system fails to restrict access to certain functions, privileges, or features properly.
- Unrestricted Resource Consumption: This vulnerability occurs when an application fails to restrict the consumption of resources, such as memory, CPU cycles, or network bandwidth. It can lead to denial-of-service (DoS) attacks and other malicious activities.
Changed Entries
While the names of three existing vulnerabilities on the OWASP Top 10 2021 list have been modified for the 2023 release candidate, their security implications remain largely unchanged.
- Broken Access Control, now “Broken Object Level Authorization”: Access controls remain one of software applications’ most fundamental security controls. Broken object level authorization occurs when an application fails to enforce authorization, allowing an attacker to access resources. This can lead to data breaches, credential theft, and other malicious activities.
- Identification and Authentication Failures, now “Broken Authentication”: Broken authentication is a vulnerability that occurs when an application fails to authenticate or authorize users properly. This can allow attackers to use weak credentials, brute-force attacks, or other authentication bypass techniques to access resources they should not be able to access.
- Vulnerable and Outdated Components, now “Improper Assets Management”: Improper assets management occurs when an application fails to properly manage the assets used in its development, deployment, and operation. This can lead to vulnerabilities in the form of patch management, outdated components, and unsecured dependencies.
Remaining Entries
The OWASP Top 10 for 2024 release candidate lists five new risks:
- Lack of Protection from Automated Threats: As automation technologies like bots and scripts become harder to detect and defend against, the risk of malicious attacks, such as distributed denial-of-service (DDoS) attacks, brute-force attacks, and credential stuffing attacks, increases. Automated attacks can cause serious security issues without effective protection, including data breaches, system downtime, and financial losses.
- Unsafe Consumption of APIs: While APIs can provide immense benefits, such as faster development time and increased agility, they also introduce new security risks if not properly managed or authenticated. Unsafe consumption of APIs can lead to data leakage, malicious code execution, and privilege escalation attacks.
- Broken Object Property Level Authorization: This new vulnerability focuses on the security of a system’s access control configuration and the ability to limit privileges at the object property level.
- Broken Function Level Authorization: This occurs when an application’s authorization system fails to restrict access to certain functions, privileges, or features properly.
- Unrestricted Resource Consumption: This vulnerability occurs when an application fails to restrict the consumption of resources, such as memory, CPU cycles, or network bandwidth. It can lead to denial-of-service (DoS) attacks and other malicious activities.
Removed Entries
- Logging and Monitoring: This vulnerability occurs when applications lack proper logging and monitoring. Effective logging and proactive monitoring can help organizations detect system anomalies in real time, allowing them to identify and respond to threats before significant damage can be done.
- Injection: Injection attacks occur when an attacker can execute malicious code by exploiting a vulnerability in user-supplied input. These attacks can lead to data exfiltration, privilege escalation attacks, and other malicious activities.
- Software and Data Integrity Failures: This vulnerability occurs when an application cannot detect unauthorized modifications of data or code. Without proper integrity checks, malicious actors may be able to bypass security controls and compromise system data.
- Insecure Design: Insecure design occurs when an application does not implement security features or if the architecture allows for weak authentication. Without proper security controls, applications are susceptible to various attacks, such as privilege escalation, cross-site scripting, and data exfiltration.
- Cryptographic Failures: Cryptographic failures occur when an application does not properly encrypt or protect data in transit. Without proper encryption, attackers may be able to gain access to confidential information or modify existing data.
Start a Demo of Kiuwan
Interested in adding more security for your application? See what Kiuwan can do for you. Set up a quick demo to see our reliable security scanning tools in action.