What is OWASP?
The OWASP or Open Web Application Security Project is a nonprofit foundation dedicated to improving software security. It operates under an open community model, meaning that anyone can participate in and contribute to OWASP-related online chats and projects. The OWASP ensures that its offerings (online tools, videos, forums, events, etc.) remain free and are easily accessible through its website.
What is the OWASP Top 10?
The OWASP Top 10 is a list of the most critical web application security risks. The OWASP Top 10 provides detailed rankings and remediation guidance for the top 10 most critical web application security risks. The OWASP has maintained its Top 10 list since 2003, updating it every two to four years in accordance with advancements and changes in the AppSec market. OWASP’s latest Top 10 list was published in Q4 of 2021, while the previous report had been published in 2017.
Why is the OWASP Top 10 needed?
The OWASP Top 10 is a great foundational resource for developing secure code. According to research, a scan of 130,000 applications found that nearly 68% of apps had a security flaw that fell into the OWASP Top 10. The report provides actionable information that serves as a checklist and internal web application development standard for many of the world’s largest organizations. Its main purpose is to offer developers and web application security professionals insight into the most prevalent security risks so that they may fold the report’s findings and recommendations into their own security practices, thereby minimizing the presence of known risks in their applications. By writing code and testing with these risks in mind, developers can create secure applications that keep their users’ data safe from attackers.
Auditors often interpret a company's failure to address the OWASP Top 10 as an indication that it might not be meeting other compliance requirements either. On the other hand, incorporating the Top 10 into the software development life cycle (SDLC) shows that a company is committed to industry best practices for secure development.
How does the OWASP Top 10 gather its knowledge?
The OWASP Top 10 isn’t just a list. It assesses each flaw category using the OWASP Risk Rating methodology and provides guidelines, examples, best practices for preventing attacks, and references for each risk.
The risk ranking is based on a consensus among security experts from around the world and it leverages the extensive knowledge and experience of the OWASP’s open community contributors. The ranking is in accordance with the frequency of discovered security defects, the severity of the uncovered vulnerabilities, and the magnitude of their potential impacts.
OWASP Top 10 Vulnerabilities in 2022 (published September 24, 2021)
- Broken access control: Website security access management must limit visitor access to only those pages or sections needed by that type of user. Some 94% of applications were tested for some form of broken access control.
- Cryptographic failures: Data in transit and at rest (passwords, credit card numbers, health records, personal information, business secrets, etc.) require extra protection due to the potential for cryptographic failures, known as sensitive data exposures.
- Injection: Injection vulnerabilities can occur when a query or command is used to inject untrusted data into the interpreter via OS, SQL, NoSQL, or LDAP injection. Through this attack vector, malicious data is inserted to trick the interpreter into making the application perform actions for which it was not intended, like generating unintended commands or gaining access to data without proper authorization.
- Insecure design: This focuses on risks related to design flaws. The industry needs more use of reference architectures, threat modeling, and secure design patterns and principles.
- Security misconfiguration: 90% of applications were tested for some form of misconfiguration. With more shifts into highly configurable software, it’s not surprising to see this category move up in frequency from previous years. According to Gartner, up to 95% of cloud breaches are the result of human error.
- Vulnerable and outdated components: Modern distributed web applications commonly incorporate open-source components (libraries and frameworks). Any component with a vulnerability becomes a weak link that can impact the security of the entire application.
- Identification and authentication failures: When applications incorrectly execute functions related to session management or user authentication, hackers may be able to compromise passwords, session tokens, or security keys and permanently or temporarily assume the permissions of other users. This vulnerability poses a serious threat to the security of the application and the resources it accesses. It can also severely compromise other assets connected to the same network.
- Software and data integrity failures: Code and infrastructure that do not protect against integrity violations are referred to as software and data integrity failures. A program that uses plugins, libraries, or modules from untrusted sources, repositories, or content delivery networks (CDNs) can be an example of this. Malicious code, unauthorized access, or system compromise can all be risks of an unsecured CI/CD pipeline. Nowadays, many programs have auto-update capabilities that allow updates to be obtained without necessary integrity checks and applied to previously trusted applications. This enables attackers to potentially distribute and run their own updates across all systems.
- Security logging and monitoring failures: Failures in this category can directly impact forensics, visibility, and incident alerting. Studies indicate that the time from attack to detection can take up to 200 days, or even longer. This window gives cyber thieves plenty of time to steal confidential information, tamper with servers, corrupt databases, and plant malicious code.
- Server-side request forgery: Server-side request forgery (SSRF) is a web security flaw that allows hackers to force a server-side application to send HTTP requests to any domain. An SSRF fault occurs when a web application retrieves a remote resource without checking the user-supplied URL. A hacker can make a program send a forged request to an unexpected location even if it is secured by a firewall, VPN, or other type of network access control list.