OWASP Top 10 Updated 2021 List
An updated OWASP Top 10 Information Security Standard List with examples and ways to prevent it.
What is OWASP?
The Open Web Application Security Project, or OWASP, is an international non-profit organization dedicated to web application security.
What is OWASP Top 10?
OWASP Top 10 is a ranking of the ten most dangerous information security risks for web applications, compiled by a community of industry experts. It is a standard awareness document for developers and web application security.
OWASP Top 10 2021 updated List
A01:2021-Broken Access Control 94% of applications were tested for some form of broken access control with the average incidence rate of 3.81%
Example:
Exposure of Sensitive Information to an Unauthorized Actor
Accessing API with missing access controls for POST, PUT and DELETE
CORS misconfiguration allows API access from unauthorized/untrusted origins
How to Prevent:
# Except for public resources, deny by default.
# Implement access control mechanisms once and re-use them throughout the application, including minimizing Cross-Origin Resource Sharing (CORS) usage
# Log access control failures, alert admins when appropriate
A02:2021-Cryptographic Failures Previously known as Sensitive Data Exposure. Failures related to cryptography (or lack thereof). Which often lead to exposure of sensitive data.
Example:
Use of Hard-coded Password
Broken or Risky Crypto Algorithm
How to Prevent:
# Classify data processed, stored, or transmitted by an application. Identify which data is sensitive according to privacy laws, regulatory requirements, or business needs and encrypt it.
# Don’t store sensitive data unnecessarily. Data that is not retained cannot be stolen.
# Ensure up-to-date and strong standard algorithms, protocols, and keys are in place; use proper key management.
# Disable caching for response that contain sensitive data.
A03:2021-Injection 94% of the applications were tested for some form of injection with a max incidence rate of 19%, an average incidence rate of 3%
Example:
Cross-site Scripting
SQL Injection
How to Prevent:
#Use Safe API Standards
# Use positive server-side input validation
# Use LIMIT and other SQL controls within queries to prevent mass disclosure of records in case of SQL injection
A04:2021-Insecure Design A new category for 2021 focuses on risks related to design and architectural flaws, with a call for more use of threat modeling, secure design patterns, and reference architectures. Emphasize on Secure by Design.
One of the factors that contribute to insecure design is the lack of business risk profiling inherent in the software or system being developed, and thus the failure to determine what level of security design is required.
How to Prevent:
# Establish secure SDLC process
# Establish and use a library of secure design patterns or paved road ready to use components
# Use threat modeling for critical authentication, access control, business logic, and key flows
# Limit resource consumption by user or service
A05:2021-Security Misconfiguration 90% of applications were tested for some form of misconfiguration, with an average incidence rate of 4.%, and over 208k occurrences of a Common Weakness Enumeration (CWE) in this risk category.
Example:
Default accounts and their passwords are still enabled and unchanged
For upgraded systems, the latest security features are disabled or not configured securely
How to Prevent:
# A repeatable hardening process makes it fast and easy to deploy another environment that is appropriately locked down
# Review and update the configurations appropriate to all security notes, updates, and patches as part of the patch management process
# Review Cloud Storage Permissions
# An automated process to verify the effectiveness of the configurations and settings in all environments
A06:2021-Vulnerable and Outdated Components Vulnerable Components are a known issue that we struggle to test and assess risk and is the only category to not have any Common Weakness Enumerations.
Example:
Use of Unmaintained Third-Party Components
Vulnerable, unsupported, or out of date Software
Missing the Software Upgrades
How to Prevent:
# Remove unused dependencies, unnecessary features, components, files, and documentation
# Continuously inventory the versions of both client-side and server-side components (e.g., frameworks, libraries) and their dependencies
# Only obtain components from official sources over secure links
A07:2021-Identification and Authentication Failures Previously known as Broken Authentication, this category slid down from the second position
Examples:
Improper Validation of Certificate with Host Mismatch
Improper Authentication
Exposes session identifier in the URL
How to Prevent:
# Where possible, implement multi-factor authentication
# Do not ship or deploy with any default credentials, particularly for admin users
# Limit or increasingly delay failed login attempts, but be careful not to create a denial of service scenario
A08:2021-Software and Data Integrity Failures A new category for 2021 focuses on making assumptions related to software updates, critical data, and CI/CD pipelines without verifying integrity.
Examples:
Inclusion of Functionality from Untrusted Control Sphere
Download of Code Without Integrity Check
How to Prevent:
# Use digital signatures or similar mechanisms to verify the software or data is from the expected source and has not been altered.
# Ensure libraries and dependencies, such as npm or Maven, are consuming trusted repositories.
# Ensure that your CI/CD pipeline has proper segregation, configuration, and access control to ensure the integrity of the code flowing through the build and deploy processes
A09:2021-Security Logging and Monitoring Failures Logging and monitoring can be challenging to test, often involving interviews or asking if attacks were detected during a penetration test.
Examples:
# Insufficient Logging to include
# Insertion of Sensitive Information into Log File
How to Prevent:
# Ensure all login, access control, and server-side input validation failures can be logged with sufficient user context to identify suspicious or malicious accounts.
# Ensure log data is encoded correctly to prevent injections or attacks on the logging or monitoring systems.
# Ensure high-value transactions have an audit trail with integrity controls to prevent tampering or deletion.
A10:2021-Server-Side Request Forgery A new category for 2021, relatively low incidence rate with above average testing coverage and above-average Exploit and Impact potential ratings.
The severity of SSRF is becoming higher due to cloud services and the complexity of architectures.
How to Prevent:
# Sanitize and validate all client-supplied input data
# Do not send raw responses to clients
# Disable HTTP redirections
# Enforce “deny by default” firewall policies or network access control rules to block all but essential intranet traffic