OWASP updates top 10 list with decades old security risk in #1 spot

2021 listing exhibits how far utility safety has come and the way a lot work is left to do.


OWASP up to date its listing of the highest 10 software program safety dangers for 2021. This chart illustrates the adjustments from the 2017 model of the listing. 

Picture: OWASP

Safety knowledgeable and Veracode CTO Chris Wysopal recognized damaged entry management as a safety threat in 1996. OWASP simply pushed that software program safety drawback to the primary spot within the 2021 replace of its prime 10 listing. Regardless of the longevity of that threat, Wysopal describes the most recent listing as on the forefront of safety finest practices with the emphasis on monitoring the software program provide chain on the macro (exterior APIs and software program) and micro ranges (libraries).  

“The most effective proof of that is that the extraordinarily gradual transferring federal authorities goes to carry distributors accountable for delivering safe software program,” he stated. 

SEE: Skilled: Biden’s govt order on cybersecurity is an effective begin towards defending organizations

He listed NIST’s definition of important software program, the setting of minimal requirements for suppliers and IoT and software program labeling as vital components of President Joe Biden’s current govt order on software program safety. 

“These adjustments make it so {that a} purchaser of software program can simply see what’s been accomplished to safe their software program,” he stated. 

Wysopal describes the chief order as an extended overdue step in the appropriate path that may strengthen the safety of federal businesses and their software program provide chain.  

“As the federal government continues to get extra detailed about necessities, rankings and labeling, it ought to share that info with the personal sector to make sure that ALL software program is held to the identical requirements,” he stated.

Within the OWASP Prime 10: 2021, Damaged Entry Management moved into first place, up from fifth place on the 2017 Prime 10 listing. Additionally, there are three new classes, 4 classes with naming and scoping adjustments and a few consolidation. 

  1. Damaged entry management
  2. Cryptographic failure (beforehand often known as delicate information publicity)
  3. Injection
  4. Insecure design
  5. Safety misconfiguration
  6. Susceptible and outdated elements
  7. Identification and authentication failures
  8. Software program and information integrity failures
  9. Safety logging and monitoring failures (beforehand inadequate logging and monitoring)
  10. Server-side request forgery

OWASP notes that a few of the class names have modified to concentrate on the basis trigger over the symptom.

How one can interpret the brand new listing

Sean Wright, principal utility safety engineer at Immersive Labs, stated the up to date listing exhibits how far appsec has come and the way far the work nonetheless must go. 

“Half of the classes within the new listing have appeared in each single listing since 2003 in some form or kind, so 18 years of technological developments, experiments and learnings has not been sufficient to treatment these flaws,” he stated. “This implies we have to change our strategy to utility safety.”

Wright stated adopting a hybrid human/expertise strategy to resolving these vulnerabilities will enhance utility safety and, hopefully, resolve a few of the most impactful points from the final 20 years. 

John Andrews, vp of International Channel at Invicti, stated that the brand new OWASP Prime 10 listing takes a wider view than earlier editions, which sends a transparent message that discovering and fixing vulnerabilities is just one a part of fashionable utility safety.

Andrews stated new classes like Insecure Design and Software program and Knowledge Integrity Failures reinforce two main business developments: the transfer to carry out safety testing from the early phases of improvement (shift left) and the current concentrate on software program provide chain safety.

“The flip facet of this new big-picture strategy is that, not like early editions, the Prime 10 for 2021 is not a easy vulnerability testing guidelines, which can restrict its usefulness as an unofficial however broadly used utility safety normal,” he stated.

Prioritizing fixes for the highest 10 dangers

Injection points and misconfiguration can normally be fastened with a number of traces of code, however flaws like Insecure Design can take days or perhaps weeks to repair, Wysopal stated.

“For this reason you will need to catch some flaws on the design stage or earlier in improvement when they are often fastened way more simply,” he stated.

Wysopal would prioritize fixing #1 damaged entry management, #3 injection, and #6 susceptible and outdated elements as a result of these flaws are a few of the best for attackers to search out and exploit.

DevOps and pipeline automation ought to drive the evolution of safety as code (SaC), compliance as code (CaC), and infrastructure as code (IaC), Wysopal stated, as the subsequent evolution appsec.

“In a nutshell, every part that may be code can be code, which means adjustments can be launched solely when new code is pushed into manufacturing,” he stated. “This evolution will dramatically ease the burden on improvement groups to drive adoption of safety instruments, making software program safety second nature.”

Wysopal predicts that this strategy to software program will take away friction from the event course of, decrease prices and enhance compliance with rules.

Additionally see

Recent Articles


Related Stories

Leave A Reply

Please enter your comment!
Please enter your name here

Stay on op - Ge the daily news in your inbox