OWASP Announces Top 10 Web Application Security Threats for 2021

Open Web Application Security Project (OWASP) is a community-led, non-profit organization dedicated to improving software security. It provides free, open-source projects, tools, resources, and events. 

On September 8, OWASP announced its highly-anticipated release of the OWASP Top 10, an essential guide for organizations to minimize risk and adopt security best practices. Created by a team of leading security experts from all around the world, this document uncovers the top 10 most critical application security threats in 2021. 

Since 2017, the last time the OWASP Top 10 was updated, the threat landscape has completely changed. We’ve experienced a boom in big data, a paradigm shift to the cloud, and a digital transformation that has inspired all businesses — both big and small — to leverage the data they collect to make better, informed decisions. 

But with this spike in data use, has come a series of unprecedented challenges, and consequently, an urgent need for companies to reevaluate how they can truly protect their data.With that said, let’s dive right into the Top 10 threats. 

1. Broken Access Control

Broken Access Control is now the #1 threat. But are we surprised?

  • 94% of applications that were tested had some form of broken access control.
  • This gives us the greatest paradox of all time: Access control, the default security solution, is the biggest vulnerability facing organizations today. 
  • When users have access to sensitive information they shouldn’t, this can lead to tampering of primary keys, over-privileged access, and exfiltration of sensitive data.
2. Cryptographic Failures (formerly Sensitive Data Exposure)

Sensitive Data Exposure changed to Cryptographic Failures as security experts realized that they were only tapping the surface. 

  • They had identified a symptom rather than the root cause of the security risk.
  • Cryptographic failures, such as encrypting data without signing it or using untested cryptographic primitives, can lead to sensitive data exposure or compromised security systems.
3. Injection

Injection occurs when an attacker sends invalid data or malicious code to a web application that changes the way the application executes in a way that it was not programmed to do. 

  • The most common injection example is a SQL query consuming untrusted data.
  • This vulnerability can allow an attacker to steal entire databases of sensitive information or tamper with existing data, by completely destroying it or modifying it with insert/update/delete functions.
  • Worse yet, it can lead to a host takeover, where the attacker can gain admin rights to database servers and control the server from afar.

4. Insecure Design

Created in 2021, this category pertains to security issues that stem from “missing or ineffective control design.”

  • When effective controls to protect against threats are absent – such as domain logic rules or anti-bot protections – sensitive data can be revealed and exploited. 
  • This calls for “more use of threat modeling, secure design patterns, and reference architectures.”

5. Security Misconfiguration

With more than 33 billion records exposed over the last two years due to misconfigurations in the cloud, we’re not surprised to see this category move up since 2017.  

  • 90% of applications that were tested had a misconfiguration.
  • When security controls are misconfigured (e.g. open to the public, not encrypted, incorrect permissions), applications are extremely vulnerable.
  • One of the most common flaws is keeping default settings, such as passwords, enabled and unchanged.
  • With more data stores being created than ever, it’s critical for companies to monitor and assess the effectiveness and presence of all configuration settings.

6. Vulnerable and Outdated Components

Unpatched or out-of-date systems can lead to exposure of sensitive data. 

  • Out-of-date or unsupported systems, such as OS, web or application services, database management systems, and APIs, can lead to security vulnerabilities. 
  • Unnecessary features, files, documentation, or failure to maintain an accurate inventory of all client-side and server-side components can lead to higher risk of exposure.

7. Identification and Authentication Failures (formerly Broken Authentication)

What was the most popular password in 2020? If you guessed, “password,” then you’re very close. It was #4 on the list – “123456” being the first. Unfortunately, you’d be surprised by how often companies who live by the security-first philosophy, permit the most common and worst passwords. 

  • Authentication vulnerabilities can occur when well-known passwords such as “Password1” are permitted or recovery/forgot password processes are weak and ineffective.
  • Missing or ineffective multi-factor authentication controls, failure to rotate Session IDs or lack of protection against brute-force attacks can also lead to the security vulnerabilities. 
  • Poor passwords can compromise a user’s identity or credentials.

8. Software and Data Integrity Failures

Any code or infrastructure that does not protect against integrity violations can lead to application vulnerabilities. 

  • When data is unencrypted or serialized such that an attacker can see and modify it without some form of integrity check, that data can be tampered with.
  • Insecure CI/CD pipelines or applications that rely on plug-ins or libraries from untrusted sources can also lead to unauthorized access or compromised systems.

9. Security Logging and Monitoring Failures

Without an audit trail or a proper system in place to monitor logs, breaches can go undetected. Worse yet, they can escalate to far more serious attacks. 

  • All events such as logins, failed logins, high-value transactions, warnings or errors should be logged. 
  • Logs that are only stored locally or are not regularly monitored for suspicious activity can also lead to vulnerabilities.
  • Insufficient logging and monitoring can prevent companies from detecting, de-escalating, and responding to attacks.

10. Server-Side Request Forgery

The adoption of cloud environments and their increasingly complex architectures have made server-side request forgery (SSRF) attacks more prevalent and severe. 

  • SSRF vulnerabilities occur when web applications fetch remote resources without validating user-submitted URLs.
  • This allows an attacker to “coerce the application to send a crafted request to an unexpected destination, even when protected by a firewall, VPN, or another type of network ACL.”

With every new advancement in technology comes a new way in which our personal lives can be exploited. And with more data at stake than ever, the OWASP Top 10 is further validation that legacy solutions aren’t working, and that each flaw can be fatal to any business. 

“Insanity is doing the same thing over and over again and expecting different results.” - Albert Einstein 

It’s time we finally close the gap – and let’s not stop at just these 10. 

Many of these threats can be solved by Dasera – a data security platform that secures data from creation to deletion. 

  • Broken Access Control: Dasera can analyze and manage permissions to identify who has access to what data. In addition, Dasera goes a step further by monitoring how data is used even among those who have access to prevent data misuse. 
  • Injection: Our query analysis also enables the detection of SQL injection attacks. Since Dasera supports DML analysis, companies can be alerted if an application unexpectedly runs a query that modifies data. 
  • Insecure Design: With Dasera, companies can improve secure design, by finding credentials or sensitive information in unencrypted databases. If applications are incorrectly or improperly giving access to users, Dasera can detect these over-permissions.
  • Security Misconfiguration: Dasera can detect and correct data store misconfigurations. 
  • Security Logging and Monitoring Failures: For companies who do have query logging turned on in their databases, they may not know or have the ability to monitor them at scale. Dasera can automatically ingest and monitor query logs at scale for data misuse. 

To learn more about how Dasera can better protect your data, visit www.dasera.com. To read the full OWASP Top 10 report, click here.

Author

Ani Chaudhuri