OWASP is a nonprofit foundation to enhance software security

Cybersecurity Stories: A Jurassic Journey Through the OWASP Top 10

If you’ve ever come across the OWASP Top 10 but aren’t quite sure what it entails or struggle to recall the ten vulnerabilities, this article is for you. Learning cybersecurity can be overwhelming, especially when faced with plenty of terminology and acronyms. Feeling overwhelmed by numerous terms and abbreviations is common, and you’re not alone in facing this challenge. I found employing stories and analogies is an excellent approach to simplifying complex concepts. In this article, I will provide you with a simplified explanation of the OWASP Top 10 and its significance, using the fictional Jurassic Universe as an analogy.

Web developers often concentrate on solving problems and meeting deadlines, but security can be overlooked. As a result, inadequately tested and secured web applications can become susceptible to attacks. The goal of this article is to raise awareness, particularly among new web developers or those new to the security field, about the top 10 basic security risks through this analogy. Additionally, I would like to share how we incorporated the OWASP Top 10 as a standard for our web application.

OWASP TOP 10-Illustration by Horangi Cyber Security

The Jurassic Universe:

Picture a world where entrepreneurs, after the failures of Jurassic Park and Jurassic World, decide to create a new dinosaur park called Jurassic Universe. Determined to avoid previous disasters, they hire security expert and OWASP (Open Web Application Security Project) founder Mark Curphey. He aims to implement an awareness document similar to the OWASP Top 10 to ensure the park’s safety and security; he calls it the OJASP (Open Jurassic Amusement Security Project) Top 10. Mark then provides 10 examples to create an awareness program for park management.

In the Jurassic Universe, 🦕 dinosaurs coexist peacefully with 🔒 security engineers.

The OJASP Top 10 in the Jurassic Universe:

Here’s how each of the Top 10 security risks from the 2021 update corresponds to the Jurassic Universe:

1. Broken Access Control: If the park’s access control system fails, unauthorized personnel or visitors could enter restricted areas, or dangerous dinosaurs like raptors or T-Rex could escape from their cages. Similarly, broken access controls in web applications allow attackers to bypass restrictions and access sensitive data or systems.
2. Cryptographic Failures: In the park, using outdated or improperly implemented encryption methods could lead to sensitive information leaks, such as dinosaur genetic data. Similarly, cryptographic failures in web applications result from improper use or implementation of cryptographic methods, exposing sensitive data.
3. Injection: Picture a park visitor who smuggles in contaminated food. When dinosaurs, other visitors, or staff consume it, they fall unconscious. This enables the malicious visitor to steal dinosaur DNA, valuable items from other guests, or access keys to restricted areas. In the same way, web applications are vulnerable to injection attacks when user-supplied data is not adequately validated, filtered, or sanitized. Injection vulnerabilities allow attackers to insert harmful data or commands, leading to data breaches or unauthorized access.
4. Insecure Design: A tropical cyclone hits Jurassic Universe island, causing a power failure. The park’s security system didn’t account for the risk of power outages and lacked proper fail-safe mechanisms. Consequently, the T-Rex and raptors escape from their cages due to the park’s insecure design, terrorizing visitors and staff. Similarly, insecure design in web applications involves various weaknesses, such as missing or ineffective control design. Flawless implementation can’t fix an insecure design because the required security controls to defend against specific attacks were never created.
5. Security Misconfiguration: Imagine a genetic engineer at Jurassic Universe decides to fill the T-Rex’s DNA with squid DNA, intending to create a colorful T-Rex that can attract visitors. However, they didn’t consider the potential consequences, and the modified T-Rex gains the ability to camouflage, allowing it to escape from its cage undetected. Similarly, web applications may face security misconfiguration issues if they lack proper security measures across the application stack or have incorrect permissions, default settings, or unnecessary features enabled. These misconfigurations can leave the application vulnerable to attacks.
6. Vulnerable and Outdated Components: Jurassic Universe uses an old, unsupported security system that no longer receives updates or patches for vulnerabilities. This outdated system leaves the park vulnerable to breaches and attacks. Similarly, web applications using vulnerable or outdated components, such as libraries, frameworks, or other software modules, are more susceptible to exploitation due to known security flaws.
7. Identification and Authentication Failures: The park’s identification and authentication system has weak password policies, allowing intruders to easily guess or crack staff credentials. Additionally, the system lacks multi-factor authentication, further reducing security. Similarly, web applications with weak authentication and identification mechanisms are susceptible to unauthorized access, impersonation, or account takeover.
8. Software and Data Integrity Failures: Jurassic Universe has a dinosaur health monitoring system that relies on software and data integrity. However, the integrity of the software and data is not maintained, leading to false information about dinosaur health, causing a dangerous outbreak among the animals. In web applications, software and data integrity failures can result in manipulation, corruption, or unauthorized alteration of critical data or code, leading to security breaches or system failures.
9. Security Logging and Monitoring Failures: At Jurassic Universe, the security team doesn’t regularly review security logs or monitor for suspicious activity. As a result, they fail to detect an intruder who tampers with the park’s security system, ultimately allowing the escape of dangerous dinosaurs. Similarly, web applications with inadequate security logging and monitoring can’t detect or respond to potential threats or breaches in a timely manner, giving attackers more time to exploit vulnerabilities.
10. Server-Side Request Forgery (SSRF): Jurassic Universe’s control system allows staff to remotely monitor and manage various park functions. However, an attacker exploits a vulnerability, sending malicious server-side requests to the control system and gaining unauthorized access to the park’s security system. In web applications, SSRF vulnerabilities allow attackers to send forged requests from a vulnerable server to internal resources, potentially gaining access to sensitive data or systems.

By using the fictional Jurassic Universe to explain the OWASP Top 10 security risks, it becomes easier to understand these issues and what they can cause. Making web applications safe is very important in our digital world today. The OWASP Top 10 helps developers, security workers, and companies identify, mitigate, and prevent the biggest security problems in web applications. This way, users and important information stay protected in our constantly changing digital world.

Use Case

Having explored the OWASP Top 10 security risks through the Jurassic Universe analogy, you should now have a basic understanding of the crucial security aspects to consider when developing a web application. I’d like to share a real-life example where my team and I implemented the OWASP Top 10 guidelines in a web application project.

We were tasked with developing an MVP (Minimum Viable Product) that needed to be completed within a tight deadline while also addressing basic security features. After defining the classes and creating related diagrams, we completed the project’s analysis and design phases. We chose to use C# ASP.NET for development and MySQL as the database.

In our C# ASP.NET project, we addressed the OWASP Top 10 as follows:

A01:2021 Broken Access Control:

• Implemented role-based access control (RBAC) and set up authorization policies.
• Used the [Authorize] attribute on controllers and actions to enforce access control.

A02:2021 Cryptographic Failures:

• Secured the database connection string.
• Stored uploaded files encrypted in the database rather than the root folder.
• Utilized HTTPS to ensure secure data transmission.

A03:2021 Injection:

• Employed Entity Framework and LINQ for queries to prevent traditional SQL injection attacks.
• Used character limitations and regular expressions to validate user inputs.

A04:2021 Insecure Design:

• Followed a secure development lifecycle (SDL) and incorporated security best practices from the design phase.
• Conducted unit tests and used the OWASP ZAP (Zed Attack Proxy) tool to detect vulnerabilities.

A05:2021 Security Misconfiguration:

• Configured proper error handling with try-catch blocks to avoid leaking sensitive information.
• Kept all libraries and components up to date, removing unnecessary code blocks and comments.
• Disabled unnecessary features and services, limiting user permissions to the minimum required.

A06:2021 Vulnerable and Outdated Components:

• Regularly updated all third-party libraries, plugins, and components to their latest versions.
• Monitored security advisories and applied patches as needed.

A07:2021 Identification and Authentication Failures:

• Utilized Entity Framework Identity for authentication and authorization, saving significant time and providing a secure system.
• Activated Two-Factor Authentication (2FA) to prevent unauthorized access.

A08:2021 Software and Data Integrity Failures:

• Ensured data integrity by encrypting uploaded files stored in the database.
• Relied only on trusted resources and libraries.
• Maintained accountability by recording information about the date and user responsible for creating and modifying data.

A09:2021 Security Logging and Monitoring Failures:

• Enabled logging to record both errors and potential password attacks.

A10:2021 Server-side Request Forgery:

• Added ValidateAntiForgeryToken to POST requests to mitigate cross-site request forgery (CSRF).

Use OWASP Top 10 as a baseline and consider adopting ASVS for a secure development lifecycle.

By incorporating the OWASP Top 10 as a standard in our C# ASP.NET project, we were able to deliver a secure MVP within the given deadline. With proper initial planning and minor adjustments, it’s possible to develop secure and efficient programs. The OWASP Top 10 is essential for web developers as it raises awareness about the most critical security risks in web applications, helps prioritize efforts to address significant threats, offers guidance on preventing security risks, and adheres to compliance standards. Moreover, it protects reputations and reduces costs by preventing security incidents early in the development process. However, it’s important to use the OWASP Top 10 as a baseline; for a secure development lifecycle, it is recommended to adopt the more comprehensive OWASP Application Security Verification Standard (ASVS) or similar frameworks. As for what the ASVS entails, that will be the subject of another blog post.

In conclusion, addressing the OWASP Top 10 early in your web application development is very important for making secure, reliable, and effective web applications. By being careful, you can defend your applications from the most common threats and avoid significant damage for your organization’s reputation and money. Always keep learning about security risks and best ways to do things so you can stay ahead of possible threats and make sure your web applications and their users are safe.

Whether you’re a cybersecurity expert or just getting started, join me as we explore cybersecurity through the lens of storytelling. 📖🔍 Follow along to learn more and stay safe online. More stories and allegories are coming… 📚👀 #cybersecurity #allegory #storytelling

Resources:

https://owasp.org/www-project-top-ten

What is OWASP? What is the OWASP Top 10? All You Need to Know

https://www.horangi.com/blog/real-life-examples-of-web-vulnerabilities

Photos generated by Midjourney AI.