CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
The Open Web Application Security Project (OWASP) recently updated its top 10 list of the most critical security risks to web applications after 4 years. It represents the most radical shake up since the list was introduced in 2003. The changes will undoubtedly have a big impact on how businesses address application security going forward. This article will look at three of the most significant changes that have emerged in the new top 10 list.
This time out OWASP took a more data driven approach to their research in order to get better insight into current and future threats. Members provided more than 1.5 million data points on the security threats they see. OWASP categorized the data and assigned an impact score before deriving their overall ranking.
OWASP also included survey data from security professionals about emerging threats. For example, the current incident rate of Server-side request forgery (SSRF) vulnerabilities is low, but security professionals consider this attack very seriously and expect it to increase significantly in the future. SSRF enables attackers to use vulnerable servers to request and receive data from protected internal sources, which is a very serious risk. So SSRF became a new category (A10:2021) this year.
With this new methodology, OWASP is now able to offer comprehensive insight into the most serious current and future threats.
One key change in the new top 10 list is the inclusion of many categories (e.g, Insecure Design- A04:2021, Software and Data Integrity Failures- A08:2021) that recognize the industry has to start with better application design practices to improve security.
Many application vulnerabilities creep into software because secure design principles are not followed from the outset. In the race for faster app development corners are being cut. The CI/CD approach to application development is a major contributor to the use of plugins, libraries or software modules of dubious integrity. This problem is getting worse. Businesses must ensure that all their software components are from reputable sources and should use software supply chain tools to check for known vulnerabilities.
Injections attacks, which have been ranked as the number 1 risk since 2003, is now ranked number 3. While this is welcome news, we cannot claim victory just yet. Your valuable data is still very much at risk from vulnerable apps that allow bad actors to run unauthorized commands and access the sensitive corporate information your business depends on.
Injection attacks have been replaced at the pinnacle of web app threats by Broken Access Control (A01:2021). OWASP reported that in their data set 94% of applications were tested for these vulnerability types and 3.8% showed one or more weaknesses. A staggering amount!
Due to the increased adoption of standardized authentication frameworks which are more readily available and easier to implement, Identity and Authentication Failures (A07:2021) has plummeted in the ranking from number 2 to number 7 as a risk.
It demonstrates that as businesses have improved their determination of who can access applications, they have neglected to enforce controls over what an individual user, process or device can do in that application. It is crucial to consider authentication and authorization together for a better security posture.
The 2021 OWASP top 10 list is a big step forward. OWASPβs expansion of security to the left with the inclusion of new categories and significant changes to their rankings will require businesses to revaluate their application security posture holistically. Addressing security earlier in the application development lifecycle will likely prevent many of the common attacks, but businesses must complement this with robust, proven and scalable security protections on the βrightβ like web application firewalls. It is not about just shift left, it is about expanded to left. You need both βleftβ and βrightβ security for a better multilayer security posture.
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High