Data breaches are a top concern for mid-market businesses. A large part of data breach prevention comes from securing web applications. In our first web application protection blog, we discussed best practices for web application tests, and the Open Web Application Security Project’s (OWASP) role in improved security of software. In this blog we will cover the changes implemented in 2021 and how they will be used.
OWASP Top Ten 2021 Categories
There are nineteen changes to the top ten list. Below is an explanation of each 2021 Top Ten category.
1.) Broken Access Control – Access controls enforce policies on users that limit permissions to access or prohibit actions they shouldn’t execute. A broken access control indicates that a user is not limited on their access or actions. This makes it easy for hackers to use over-privileged accounts to access, steal, change, or delete content from a system.
2.) Cryptographic Failures – This category focuses on the classification previously named ‘Sensitive Data Exposure’. The previous term was too broad and did not focus on the cause. Cryptographic failures can range from insecure algorithms to system compromise.
3.) Injection – This category was formerly seen as first in the rankings from the 2017 list. The new shift was also met with the consolidation of cross-site scripting. It covers how attackers use vulnerabilities to send data to an application to change how commands run. It is considered one of the most dangerous web application attack methods.
4.) Insecure Design – One of the new categories include ‘Insecure Design’. This category sits as fourth on the list and was introduced to associate risks affecting faults to the design of an application. The best web applications are designed with security in mind from the start. Design flaws are difficult to mitigate once an application is deployed and can lead to increased vulnerabilities that could have been prevented.
5.) Security Misconfiguration – The previous category ‘XML External Entities’ has now been renamed and shifted upwards in rankings. The ‘Security Misconfiguration’ category addresses insecure settings that may be present within an application. An example of this is the enablement of default accounts and passwords.
6.) Vulnerable and Outdated Components – The ‘Vulnerable and Outdated Components’ is another category which was renamed, and it was upgraded to sixth on the list. This category addresses insecure practices such as insufficient patch management. For example, this category may be commonly found for environments utilizing out-of-date or no longer supported applications.
7.) Identification and Authentication Failures – Applications that are susceptible to brute force or that utilize weak passwords may best fit in this category.
8.) Software and Data Integrity Failures – The previous category ‘Insecure Deserialization’ has now been consolidated to the ‘Software and Data Integrity Failures’ classification. The category remains 8th on the list placement. This addresses attacks such as the SolarWinds Malicious Updates, which had a massive impact on over 18,000 organizations worldwide.
9.) Security Logging and Monitoring Failures – Previously known as ‘Insufficient Logging & Monitoring’, the ‘Security Logging and Monitoring’ classification takes a promoted placement as ninth on the list. This category highlights the need for organizations to properly log and monitor security as a means of attack detection and early prevention.
10.) Server-Side Request Forgery (SSRF) – The ‘Server-Side Request Forgery’ is a new classification that addresses how an application may insecurely respond to crafted requests. This provides attackers with access to query internal environments to map out your network, access sensitive data, or gain control of external requests to other URLs. This category is particularly important for web applications in complex cloud environments.
Overview of Changes in OWASP Top Ten List
OWASP 2021 features a plethora of changes and ranking shifts. Compared to 2017, these recent changes are strictly focused on the cause of a particular vulnerability, and not on how it is executed. With the new list there are noticeable differences; some of which are uncommon to the previous top ten. The below table compares the two lists together and their respective changes.
Top Ten 2017
Top Ten 2021
2.) Broken Authentication–‡
3.) Sensitive Data Exposure+‡
4.) XML External Entities (XXE)–>‡
5.) Broken Access Control^+
6.) Security Misconfiguration^+
7.) Cross-Site Scripting (XSS)+>
8.) Insecure Deserialization>‡
9.) Using Components with Known Vulnerabilities+‡
10.) Insufficient Logging & Monitoring+‡
1.) Broken Access Control
2.) Cryptographic Failures
4.) Insecure Design
5.) Security Misconfiguration
6.) Vulnerable and Outdated Components
7.) Identification and Authentication Failures
8.) Software and Data Integrity Failures
9.) Security Logging and Monitoring Failures
10.) Server-Side Request Forgery (SSRF)
^ – Presented on both 2017 and 2021 list.
+ – Promoted in ranking on 2021 list.
— – Demoted in ranking on 2021 list.
> – Consolidated to new category on 2021 list.
‡ – Renamed in 2021 list.
Major Changes to OWASP Top Ten Categories
There are four major changes for 2021’s top ten list. These changes include:
- Four name modifications
- Three consolidations of categories
- Three category additions
- Seven shifts in category importance rankings
The list also introduces two categories which were decidedly important, according to community surveys conducted by security researchers.
Categories Maintained from OWASP 2017 Top Ten List
- Broken Access Control
New Category Additions to OWASP Top Ten List
- Insecure Design
- Software and Data Integrity Failures
- Server-Side Request Forgery
Changes in OWASP Category Rankings
The OWASP Top Ten categories are defined by a ranking system with one being the most critical and ten being the least. Below are changes in the rankings from OWASP 2017 to OWASP 2021.
Increased Criticality Rank of OWASP Categories
- Broken Access Control – Moves from 5th to 1st, making it the highest risk category.
- Cryptographic Failures (Previously ‘Sensitive Data Exposure’) – Moves from 3rd to 2nd.
- Security Misconfiguration – Moves from 6th to 5th.
- Vulnerable and Outdated Components (Previously ‘Using Components with Known Vulnerabilities’) – Moves from 9th to 6th.
- Security Logging and Monitoring Failures (Previously ‘Insufficient Logging & Monitoring’) – Moves from 10th to 9th.
Demoted Rank of OWASP Categories
- Injection – Moves from 1st to 3rd.
- Identification and Authentication Failures (Previously ‘Broken Authentication’) – Moves from 2nd to 7th.
OWASP Category Consolidations
Categories that were grouped together under one include:
- Injection – The previous ‘Cross-site Scripting’ now falls under this category.
- Security Misconfigurations – The previous category ‘XML External Entities’ has now been renamed and shifted upwards in rankings. The Security misconfiguration category addresses insecure settings that may be present within an application. An example of this is default accounts and passwords enabled.
- Software and Data Integrity Failures – The previous ‘Insecure Deserialization’ now falls under this category.
OWASP Top Ten Category Name Changes
Cryptographic Failures – Previously known as ‘Sensitive Data Exposure’.
Vulnerable and Outdated Components – Previously known as ‘Using Components with Known Vulnerabilities’.
- Identification and Authentication Failures – Previously known as ‘Broken Authentication’.
- Security Logging and Monitoring Failures – Previously known as ‘Insufficient Logging & Monitoring’.
It is important to consider these critical risk factors in web application development and testing. While the list may seem overwhelming, there are solutions available in the market to assist your team in building and testing your web applications. Foresite Cybersecurity offers web application testing solutions to help your business prevent a brand compromising breach.
Contact us today to learn how to protect your applications.
Marcela Denniston is a Cybersecurity Expert who has been building military-grade security operations teams since 2002. Today, she is the SVP of Marketing for Foresite Cybersecurity, where she uses her subject matter expertise to drive meaningful content and messaging that speaks to true cyber practitioners.