You’ve just finished your latest web application and are itching to launch it for anyone to use. The software has gone through development and design and is ready to release. So what could possibly go wrong?
Unfortunately, the answer is a lot, according to the OWASP Top for 2021.
Before you even start designing your software, you should know of the Top 10 web application vulnerabilities. Being aware of some of these vulnerabilities can help you protect against and prepare for attack scenarios if they happen.
So please stick with us and keep reading to find out all about the OWASP Top 10 for 2021. You’ll learn how to keep your software secure against them!
What Is OWASP?
The Open Web Application Security Project (OWASP) is a nonprofit organization that hopes to improve cloud application security for software worldwide.
Part of OWASP’s mission is to identify different security threats and cyber attacks against web applications and rank them according to the threat level they pose. The OWASP Top 10 ranks the ten most severe security risks.
OWASP released its newest top 10 version on September 24, 2021. Part of these changes include:
- Adding three new categories.
- Changing the name and scope of old categories.
- Consolidating old categories into newer or existing ones.
Note: Old category names (AXX:2017) are added along with the previous rank where applicable to track category name changes. Consolidated categories are mentioned below the previous rank.
A01 Broken Access Control
Previous Rank: 5
Consolidated: No
Access control policies prevent users from gaining unauthorized access to software systems. More specifically, these policies enforce permissions that restrict users to a specific access level with limited actions.
Broken access control is, therefore, a vulnerability where attackers bypass access control policies to access vulnerable information.
A common vulnerability that leads to broken access control is unprotected meta-data. Attackers can potentially manipulate meta-data by tampering with JSON Web Tokens (JWTs) to elevate their user privileges. Once an attacker has elevated privilege, they can perform restricted actions with vulnerable data.
One of the ways to prevent Broken Access Control is to disable the web application’s server directory listings. This measure will protect the application’s metadata and prevent access in case of a security breach.
A02 Cryptographic Failures
Previous Rank: 3; A03:2017-Sensitive Data Exposure
Consolidated: No
Cryptographic failures occur when cryptographic systems fail and can no longer secure vulnerable data. The failure can occur at the level of the cryptographic function itself, the cryptographic keys, or the user’s level.
Since cryptographic systems encrypt sensitive data, their failure inevitably leads to sensitive data exposure. Examples of sensitive data include credit card numbers and passwords.
An example of a cryptographic vulnerability is not enforcing encryption by default. More specifically, users can fail to include HTTP secure headers or even transmit data in clear text by accident. This vulnerability applies to all data transfer protocols, including FTP, SMTP, and HTTP, to name a few.
The solution? Ensure you encrypt all your data, especially when you’re not using it. Make sure you identify sensitive data and never transmit it in plain text. Additionally, delete sensitive data once you’re done with it to prevent attackers from accessing it later.
A03 Injection
Previous Rank: 1
Consolidated: Yes; A07:2017-Cross-Site Scripting (XSS)
An injection refers to an injection attack, a type of cyberattack where attackers insert, otherwise ‘inject,’ malicious code into a web application. The injected code lies on the database until the web application accesses it and executes the malicious code.
The most common type of injection attack is SQL injection. However, other injection attacks also exist, including Cross-Site Scripting (XSS) and Object Relational Mapping (ORM). Usually, Injections result in attackers gaining access to the web application, its server, and database.
One web application vulnerability that may lead to an injection attack is improper queries and calls. Dynamic queries and non-parameterized calls, when executed without context-aware escaping in the interpreter, are both examples of improper queries.
The best solution against improper queries is to use a safe API for your web application. Safe APIs do not use the interpreter so that they can prevent SQL injections. Furthermore, they provide a parameterized interface, which makes injection attacks more difficult to execute.
A04 Insecure Design
Previous Rank: N/A (New)
Consolidated: No
Writing code is the easy part of software engineering; the hard part is implementing safe design practices from the get-go. Unfortunately, a typical web application weakness is using poor design patterns, leading to insecure software design.
As an OWASP category, insecure design covers a wide range of vulnerabilities. All of these vulnerabilities result from poor design practices, which later affect the web application’s security.
A common insecure design mistake that may lead to a software vulnerability is not segregating system and network layers. For example, developers risk exposing their applications to cyberattacks by designing software that does not separate different application layers.
To solve this design flaw, developers should first identify the use cases of their software. Then, they should separate the different application layers based on how exposed each layer will be to users and if a layer is handling sensitive data. Analyzing the protection needs of each layer first is an example of safe design practice.
A05 Security Misconfiguration
Previous Rank: 6
Consolidated: Yes; A04:2017-XML External Entities (XXE)
Just as there are access control policies, there are also security policies for web applications. Not properly configuring your web application to conform to those policies leads to a Security Misconfiguration vulnerability.
An essential aspect of security configuration is security hardening. Security hardening refers to ‘hardening’ the application by reducing potential software attack vectors. In other words, hardening takes care of any ‘leaks’ in the application where an application layer can be exposed to an attack.
A common vulnerability under this category is leaving behind unnecessary features on the application during release. For instance, developers can accidentally leave default or admin accounts on the application for users to access.
To prevent this scenario, harden your web application properly to disable any extra features users don’t need. These features may include unused ports, accounts, or services.
A06 Vulnerable and Outdated Components
Previous Rank: 9; A09:2017-Using Components With Known Vulnerabilities
Consolidated: No
It doesn’t matter if you have the best-designed web application ever; if you’re using Vulnerable and Outdated Components in your web application, you risk facing a cyberattack.
Vulnerable and outdated software components can include unsupported or outdated libraries, APIs, and even Database Management Systems (DBMS).
A poor software update and patching cycle can often lead to vulnerable components. For example, consider a web application where software patches are implemented monthly under change control. In case of a known vulnerability, the web application would have to wait another month for the latest security patch, leaving the organization vulnerable in the meantime.
The solution, therefore, is to apply security patches as soon as a vulnerability is discovered. We also recommend using Kiuwan Security (SAST) to scan your code for vulnerable components automatically.
A07 Identification and Authentication Failures
Previous Rank: 2; A02:2017-Broken Authentication
Consolidated: No
Any web application worth its weight in salt will ensure only authorized users can access their user accounts. Unfortunately, Identification and broken authentication failures sometimes occur, leading to hackers gaining access to user accounts.
Brute-forcing, credential stuffing, and identity spoofing are standard methods that attackers may use to gain unauthorized access to user accounts.
One vulnerability that may lead to Identification and Authentication Failures is if the web application exposes the session identifier in the application URL to users. Hackers can then use this information to engineer a cyber attack.
To prevent this vulnerability, web applications need to use a specialized server-side session manager. The session manager can randomize session IDs and ensure the URL does not expose session identifiers through secure storage.
A08 Software and Data Integrity Failures
Previous Rank: N/A (New)
Consolidated: Yes; A08:2017-Insecure Deserialization
Software and data integrity failures occur when the web application’s code, API, and infrastructure fail to correct for integrity violations.
Integrity violations may result from insecure CI/CD pipelines or content delivery networks (CDNs) that do not perform sufficient integrity checks first. Auto-updating web application software without first verifying the code, whether through CDN or CI/CD pipelines, can result in a data integrity failure.
To account for this scenario, simply enforce digital signatures to verify that updated data and code are installed only from trusted sources. Additionally, component-scanning software like Kiuwan Insights (SCA) can automatically scan third-party components for malicious code.
A09 Security Logging and Monitoring Failures
Previous Rank: 10; A10:2017-Insufficient Logging & Monitoring
Consolidated: No
What’s worse than a software security breach? A software security breach that the webmasters or admins weren’t even able to detect.
Security logging and monitoring failures often result from improper log handling or poor log design. For example, not checking logs frequently, logs outputting irrelevant information, or only storing logs locally.
The best way to identify such failures is to perform a full penetration test of the web application. A penetration testing OS such as Kali Linux is often your best bet for this situation.
A10 Server Side Request Forgery (SSRF)
Previous Rank: N/A (New)
Consolidated: No
Finally, Server Side Request Forgery (SSRF) is the last entry on the OWASP Top 10 for the 2021 list.
SSRF flaws happen when web applications request access to and fetch remote resources without verifying the user-supplied URL. SSRF attacks can often bypass firewalls, VPNs, or even network Access Control Lists (ACLs).
To prevent SSRF attacks, you must adopt preventative measures at the network and application layers. For example, you can enforce “deny by default” firewall rules on the network layer while simultaneously disabling HTTP redirections on the application layer.
Final Thoughts
If you’ve made it this far, you’re probably wondering by now: How exactly can I ensure my web application stays safe from the OWASP Top 10 for 2021?
Simple: integrate Kiuwan security solutions with your web application development for maximum security.
Kiuwan offers two code scanning solutions for DevSecOps: Static Application Security Testing (SAST) and SCA software insights. Both these security solutions help protect your web application against security threats while simultaneously managing the open source risk of your web application.
Still not convinced? Perhaps you’ll change your mind once you find out Kiuwan and its solutions fully comply with the best IT security standards today. These include CERT, NIST, and OWASP top ten, just to name a few.
So whether you’re looking for a few scans to try things out or want to unlock the continuous unlimited scanning service, try out SAST and SCA insights for your web applications today. Once you do, we guarantee that you’ll make your web applications more secure from the OWASP Top 10 for 2021!
