The Open Web Application Security Project (OWASP) has released its draft Top 10 Web Application Security Risks 2021 list with a number of changes from the 2017 list (the last time the list was updated). The list has been maintained by OWASP since its release in 2003 with updates every few years.
In an announcement on September 8, 2021, OWASP said the draft Top 10 web application security threats for 2021 has been published for the purposes of “peer review, comment, translation, and suggestions for improvements”. The draft report, available to view online, contains important changes to how the non-profit categorizes today’s web application threats.
In the update, the OWASP group has added three new categories: ‘Insecure Design’, ‘Software and Data Integrity Failures’, and a group for ‘Server-Side Request Forgery (SSRF)’ attacks.
2017’s ‘XML External Entities (XXE)’ section has been added to 2021’s Security Misconfiguration category, ‘Cross-Site Scripting (XSS)’ has been added to the ‘Injection’ section, and ‘Insecure Deserialization’ is now part of ‘Security Logging and Monitoring Failures’.
OWASP has also renamed several categories.
OWASP Top 10 for 2021: The full list
1.A01:2021-Broken Access Control: 34 CWEs. Access control vulnerabilities include privilege escalation, malicious URL modification, access control bypass, CORS misconfiguration, and tampering with primary keys.
2.A02:2021-Cryptographic Failures: 29 CWEs. This includes security failures when data is in transit or at rest, such as the implementation of weak cryptographic algorithms, poor or lax key generation, a failure to implement encryption or to verify certificates, and the transmission of data in cleartext.
3.A03:2021-Injection: 33 CWEs. Common injections impact SQL, NoSQL, OS command, and LDAP, and may be caused by sanitization failures, XSS vulnerabilities, and a lack of protection for file paths.
4.A04:2021-Insecure Design: 40 CWEs. Insecure design elements vary widely, but are generally described by OWASP as “missing or ineffective control design”. Areas of concern include a lack of protection for stored data, logic programming problems, and displaying content that reveals sensitive information.
5.A05:2021-Security Misconfiguration: 20 CWEs. Applications may be considered vulnerable if they lack security hardening, if there are unnecessary features – such as a too-open hand when it comes to privileges – if default accounts are kept active, and if security features are not configured correctly.
6.A06:2021-Vulnerable and Outdated Components: Three CWEs. This category focuses on client and server-side components, failures to maintain components, out-of-date support systems – such as an OS, web servers, or libraries – as well as component misconfiguration.
7.A07:2021-Identification and Authentication Failures: 22 CWEs. Security issues include improper authentication, session fixation, certificate mismatches, permitting weak credentials, and a lack of protection against brute-force attacks.
8.A08:2021-Software and Data Integrity Failures: 10 CWEs. Integrity is the focal point of this category, and any failure to do so properly – such as the deserialization of untrusted data, or not checking code and updates when pulled from a remote source – may be in scope.
9.A09:2021-Security Logging and Monitoring Failures: Four CWEs. Issues that can hamper the analysis of a data breach or other form of attack, including logging problems, failing to record security-relevant information feeds, or only logging data locally come under this category.
10.A10:2021-Server-Side Request Forgery: One CWE. SSRF vulnerabilities occur when a server does not validate user-submitted URLs when they fetch remote resources. OWASP says that the adoption of cloud services and increasingly complex architectures have ramped up the severity of SSRF attacks.
Review of the draft usually takes a number of months. The OWASP group also announced they have a surprise coming on September 24, so stay tuned.
Here at K2 Cyber Security, we’d like to help out with your RASP and IAST requirements. K2 offers an ideal runtime protection security solution that detects true zero-day attacks, while at the same time generates the least false positives and alerts. Rather than rely on technologies like signatures, heuristics, fuzzy logic, machine learning or AI, we use a deterministic approach to detect true zero-day attacks, without being limited to detecting attacks based on prior attack knowledge. Deterministic security uses application execution validation, and verifies the API calls are functioning the way the code intended. There is no use of any prior knowledge about an attack or the underlying vulnerability, which gives our approach the true ability to detect new zero-day attacks. Our technology has 8 patents granted/pending, and has no false alerts.
We’ve also recently published a video, The Need for Deterministic Security. The video explains why the technologies used in today’s security tools, including web application firewalls (WAFs) fail to prevent zero day attacks and how deterministic security fills the need for detecting zero day attacks. The video covers why technologies like artificial intelligence, machine learning, heuristics, fuzzy logic, pattern and signature matching fail to detect true zero day attacks, giving very specific examples of attacks where these technologies work, and where they fail to detect an attack.
The video also explains why deterministic security works against true zero day attacks and how K2 uses deterministic security. Watch the video now.
Change how you protect your applications, include RASP and check out K2’s application workload security.