The alarming escalation to 40% of data breaches originating from application layer vulnerabilities represents not just a statistic but a clarion call to the industry. This figure marks a significant increase from the 24% reported merely two years prior, underscoring an urgent need for a strategic focus on application security.
Obviously, it is time to pay attention to application security.
The Open Web Application Security Project (OWASP) will give you a running start with their OWASP Top 10. This list is more than a set of guidelines; it’s a strategic tool for web developers and security professionals, spotlighting the most critical security risks in web applications.
(Finite State acquired MergeBase in June, 2024)
The OWASP Top 10 is a pivotal awareness document for web developers and professionals engaged in web application security. It represents a consensus view from experts in the field regarding the most pressing security risks associated with web applications.
By addressing these vulnerabilities, developers can significantly enhance their applications’ security, reduce the risk of data breaches, and protect sensitive information from malicious actors.
The 2021 edition of the OWASP Top 10 is a blend of data-driven insights and expert opinions. It’s a testament to the evolving nature of web security, balancing historical data with current trends and frontline experiences.
Imagine if a dozen of the top cybersecurity experts in the world reviewed your software for security problems. Since application security is generally not well covered in university, college, and bootcamp software courses, it’s likely they would probably find a lot of problems!
Of course, hiring even a single security expert to review your work is out of reach for a lot of software teams – let alone 12 experts. But you can do the next best thing; you can check out the OWASP Top Ten 2021.
The OWASP Top-10 (2021 Edition) comprises a list of ten critical security vulnerabilities that developers should be acutely aware of when designing, developing, and maintaining web applications.
Let’s take a deeper dive into each of these vulnerabilities to understand their significance:
Broken Access Control vulnerabilities are justifiably considered the most critical security issue, given their complexity and the difficulty in effective verification. Even the most carefully considered access control systems can inadvertently become a conduit for significant security threats.
The data indicates that an average of 3.81% of applications tested had one or more related Common Weakness Enumerations (CWEs), with over 318,000 occurrences. This category encompasses 34 CWEs, more than any other category.
These weaknesses are notoriously challenging to detect, especially by automated processes, thus presenting an attractive target for nefarious actors.
“Cryptographic failures is like it’s equivalent to like you bring an IKEA desk to your house and then because you failed to tighten one of the screws properly, your whole house burns down.”
Moving up the list, Cryptographic Failures, formerly known as Sensitive Data Exposure, can be analogized to the catastrophic consequences of a minor oversight in furniture assembly leading to a devastating house fire. As we progress into a new era of digital security, the necessity for encryption intensifies, along with the imperative to execute it flawlessly under increasing threats to services.
To prevent cryptographic failures, consider using tools such as:
Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
While the prevalence of injection attacks has decreased in recent years, they still pose a significant threat. Scanners are highly effective at detecting injection vulnerabilities in code and launching attacks.
How to deal with it?
If you want to attack, scanners are awesome at finding this problem in code, and they’re awesome at launching attacks through scanners. And the defense is straightforward parameterized queries, super strict validation when you can’t parameterize, and configuring your database using the principle of least privilege.
Insecure Design highlights the perils inherent in flawed application architecture. The industry is encouraged to integrate threat modeling, establish secure design patterns and principles, and utilize reference architectures to address security concerns at the design phase proactively.
Security Misconfiguration manifests in a striking majority of applications, with an estimated 90% affected. This category has seen a rise in prevalence as software becomes more highly configurable. Security misconfigurations can lead to serious vulnerabilities, and addressing them is crucial for maintaining the integrity of web applications.
Additionally, the former category for XML External Entities (XXE) is now included in this category.
This vulnerability category poses a unique challenge, as it involves testing and assessing the risk of using components that are known to have security issues.
Notably, it is the only category without any Common Vulnerability and Exposures (CVEs) mapped to the included CWEs, but it receives default exploit and impact weights of 5.0.
Developers should ensure that they:
Identification and Authentication Failures can have profound implications, often leading to unauthorized system access and consequent data breaches. As such, they can allow attackers to compromise passwords, tokens, or keys, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently.
This category has been refined to encompass CWEs more closely related to identification failures. While these issues continue to be a staple in the Top 10, the advent of standardized frameworks has enhanced their manageability and effectiveness.
Companies should:
This category underscores the importance of ensuring the integrity of software updates, critical data, and continuous integration/continuous deployment (CI/CD) pipelines integrity without proper verification.
Failures in this area can have severe consequences, and it is one of the categories with the highest impact ratings based on Common Vulnerability and Exposures/Common Vulnerability Scoring System (CVE/CVSS) data.
Security Logging and Monitoring Failures have been broadened to include additional types of lapses and remain challenging to test. Although it is not heavily represented in CVE/CVSS data, failures in this category critically hinder visibility, incident response, and forensic investigation.
Server-Side Request Forgery may occur less frequently, but the security sector accords it a higher-than-average importance due to its exploitation and impact potential. It occur when an application fetches a remote resource without validating the user-supplied URL. This can allow an attacker to induce the application to fetch an unintended resource, which can lead to unauthorized actions.
Mitigation involves validating and sanitizing all user-supplied input, especially URL data, and implementing robust network-level controls.
The category is emphasized by the security community despite the paucity of data to demonstrate its significance.
The OWASP Top 10 is an essential resource for web developers, software engineers, and security professionals, aiding in the identification, comprehension, and remediation of the most critical web application security vulnerabilities.
Proactive engagement with these vulnerabilities allows developers to significantly fortify the security of their software, diminish the risk of data breaches, and safeguard sensitive information from malicious entities.
To gain a deeper understanding of these vulnerabilities and how to mitigate them effectively, it’s beneficial to learn from experts in the field. The following panelists provided insights into the OWASP Top-10 (2021 Edition) during a webinar:
Jim Manico
Julius Musseau