Why should we know about OWASP Top 10?
Before coming to the topic of OWASP, we need to all know about Application security.
What is Application Security?
The term “Application Security” itself describes it’s meaning as — “it is a combination of certain tasks right from the beginning of the project, during development till testing for the security measures, which always aims at providing security to the application from getting the data, control over software as a whole, from being theft or hacked because of any vulnerabilities”.
What is OWASP and it’s role in Application security?
The Full form of OWASP — Open Web Application Security Project which is a non profitable organisation(started in 2001) which aims at helping the product owners and security experts for protecting the “Web Applications” from cyber attacks.
OWASP community provides free resources(articles, documentations, tools and technologies) which are helpful in web application security.
Story of OWASP Top 10
OWASP has been publishing top 10 critical security risks facing by organisations. For this, it has been gathering data(from security experts) about the critical risks facing by various companies worldwide.
It has been publishing reports on the Top 10 security risks once in every 3–4 years. The first report was published in 2003. Since then, the list of the top 10 risks keep on changing. The most recent Top 10 report was published in 2021 with few newly added security risks and changes in the order of the top 10 risks compared to OWASP Top 10:2017.
Basically, the report “OWASP Top 10” is a saviour for all the developers, and companies to save their web applications from the major cyber attacks as it’s main focus is to create awareness on the ongoing security risks.
Now, Let’s see the recently updated top 10 risks — — —
OWASP Top 10:2021
A01: Broken Access Control
It has became the №1 security risk as per 2021 OWASP report where as it moved up from 5th position(2017 OWASP Top 10) to 1st position. The very reason is — the attacker is able to access the functionality of a user X which should not be given to any other person other than X or a set of users of X’s team or to the employees of X’s firm.
Thus the “Unauthorised access” ability of an attacker leads to major chances of getting access to accounts, creation, reading,
updating and deletion of data.
A02: Cryptographic Failures
This was mentioned as “Sensitive Data Exposure” in OWASP Top 10:2017 and it was at 3rd position and now it is at 2nd place(2021). There are so many reasons to raise this risk. Some of them are
- Non encryption of sensitive information
- Usage of downgraded cryptographic algorithms
- Exposure of passwords and other sensitive information especially during code reviews.
A03: Injection
Injection flaw came down from 1st place to 3rd place. As part of this flaw, an attacker can inject a malicious code to an application to implement some features which are not at all safe for the application. There are so many injections flaws. SQL injection is the most frequently haunting risk. For example, the attacker gives a malicious code as part of an SQL query… let’s say the attacker is trying to access and get all the records in database, he does something like this
http://example.com/app/accountView?id=' OR '1'='1Other than SQL injection, some of the other injections are NoSQL, ORM, LDAP…..
A04: [New] Insecure Design
This is newly added to the top 10 list. Even though it is a new one, it might be the major reason for most of the other vulnerabilities. “Design!!!”….Design is something which is like a way to construct any software. Lack of focus on security aspects in the design phase causes greater risks.
Design is not only the phase which exists before the start of development activity. Keeping eye on security should be part of software design, during development, also during testing. Because, it is very costly to fix the things later due to the insecure design.
In other words, certain things need to be tracked throughout the software cycle. Like, what are the controls needed to avoid security risks? Are those controls actually exist? If so, are they working or not? Are we adopting better frameworks to avoid breaches or not? Is testing for security aspects involved in different levels of testing or not?
If all these are followed, there are very high chances to safeguard the applications.
A05: Security Misconfiguration
This moved up from 6th place to 5th place as of 2021. There are many scenarios which made this raise. Some of them are, permission configurations are not proper on cloud services, features are enabled or disabled irrespective of necessities(unnecessary ports, services, privileges), latest security features are disabled or not properly configured in upgraded versions of software.
For example[Source: https://owasp.org/Top10/A05_2021-Security_Misconfiguration/], Directory listing is not disabled on the server. An attacker discovers they can simply list directories. The attacker finds and downloads the compiled Java classes, which they decompile and reverse engineer to view the code. The attacker then finds a severe access control flaw in the application.
A06: Vulnerable and Outdated Components
Vulnerable and outdated components are nothing but the component which is no longer supported or turned into vulnerable thus, being suspected for the cause of security vulnerabilities. The continuous usage of these components in software irrespective of upgrades may lead to serious risks.
For example, in the code base, one of the library/package is identified as vulnerable and it’s patch version is made available. But if the usage of the previous patch version is still going on (or) even though the usage of patch version is implemented, if the removal of the vulnerable version not happened, then it should be prioritised for further clean up. Thus, removal of unused dependencies, unnecessary features, components, files, and documentation may solve this problem.
A07: Identification and Authentication failures
Failure in the confirmation of user’s identity and authentication, session management leads to this risk. Some of the scenarios are if the application allows the user to give weak or easily able to guess passwords, if the application s missing multi-factor authentication for correct identification of the user, exposing session id like crucial info in URLs..,
Implementing multi factor authentication, implement weak password checks, check on usability of old password after the user changes to a new password are some of the ways to reduce this vulnerability.
A08: [New] Software and Data Integrity Failures
Failure of maintaining data integrity relate to code and infrastructure which is not actually protecting integrity. For example, if the CI/CD pipeline is insecure may lead to unauthorised access, malicious code etc.,. Another example is, in the application which are using auto update functionality, are failing in checking the integrity verification and the new updates are downloaded into code.
An attacker uses situation like this to upload their own updates and run on all installations. Ensure that a software supply chain security tool, such as OWASP Dependency Check or OWASP CycloneDX, is used to verify that components do not contain known vulnerabilities will help to reduce this problem.
A09: Security Logging and Monitoring Failures
Insufficient and inactive logging and monitoring of logs causes long time existence of suspicious activities in the application. An example of this is[Source: https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/] A major Indian airline had a data breach involving more than ten years’ worth of personal data of millions of passengers, including passport and credit card data. The data breach occurred at a third-party cloud hosting provider, who notified the airline of the breach after some time. If the log monitoring had seriously taken into consideration, the breach could not have happened.
A10: [New] Server-Side Request Forgery (SSRF)
SSRF has been newly added to the top 10 list. Means the occurrences are very less as it has been located at 10th position. Even though it is now at 10th place, there is still risk of increasing. Basically what SSRF mean is — the hacker uses the pre existing vulnerability on server side and use it against server. Example, by modifying the response from the server, the hacker creates scope for DoS and other attacks.
Another example[Source: https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/] Access metadata storage of cloud services — Most cloud providers have metadata storage such as http://169.254.169.254/. An attacker can read the metadata to gain sensitive information.
To prevent this risk, measures need to be taken at various levels of the application(say network layer, application layer)
Yay!!! This is all about the latest Top 10 from OWASP. Let’s start implementing security practices in all of our projects by keeping all the vulnerabilities/risk listed above, if they were not involved earlier.
This article gives a basic level of understanding on the things. Just shared what I have learnt as a beginner of security domain. Please comment your opinion below. Love to hear improvements from you all as this is my very first blog!!!😁
