It might not have made Letterman’s list, but that doesn’t mean it’s not important! The OWASP Top 10 provides rankings for the most critical web app security risks. As their last update was in 2021, it remains to be seen if the evolving threat landscape will affect their rankings in the coming year, but for now these risks are holding solid ground for the foreseeable future.
The Open Web Application Security Project (OWASP) is a nonprofit foundation dedicated to improving software security. Anyone can participate and contribute to their online community, and they offer online tools, videos, forums, and events. Their features are always free of charge and easily accessible through the website.
The OWASP Top 10:
A10:2021 – Server-Side Request Forgery
The data shows a relatively low incidence rate with above average testing coverage, along with above-average ratings for Exploit and Impact potential.
A09:2021 – Security Logging and Monitoring Failures
Logging and monitoring can be challenging to test, but detecting and responding to breaches is critical. You are vulnerable to information leakage by making logging and alerting events visible to a user or an attacker.
A08:2021 – Software and Data Integrity Failures
This category focuses on making assumptions related to software updates, critical data, and CI/CD pipelines without verifying integrity. One of the highest weighted impacts from Common Vulnerability and Exposures/Common Vulnerability Scoring System (CVE/CVSS) data.
A07:2021 – Identification and Authentication Failures
Confirmation of the user’s identity, authentication, and session management is critical to protect against authentication-related attacks.
A06:2021 – Vulnerable and Outdated Components
Vulnerable Components are a known issue that we struggle to test and assess risk and is the only category to not have any Common Vulnerability and Exposures (CVEs) mapped to the included CWEs.
A05:2021 – Security Misconfiguration
90% of applications were tested for some form of misconfiguration, with an average incidence rate of 4.%, and over 208k occurences of a Common Weakness Enumeration (CWE) in this risk category.
If we genuinely want to “move left” as an industry, we need more threat modeling, secure design patterns and principles, and reference architectures. An insecure design cannot be fixed by a perfect implementation as by definition, needed security controls were never created to defend against specific attacks.
94% of the applications were tested for some form of injection with a max incidence rate of 19%, an average incidence rate of 3.37%, and the 33 CWEs mapped into this category have the second most occurrences in applications with 274k occurrences
A02:2021 – Cryptographic Failures
The first thing is to determine the protection needs of data in transit and at rest. For example, passwords, credit card numbers, health records, personal information, and business secrets require extra protection, mainly if that data falls under privacy laws, e.g., EU’s General Data Protection Regulation (GDPR), or regulations, e.g., financial data protection such as PCI Data Security Standard (PCI DSS)
A01:2021 – Broken Access Control
Moves up from the fifth position to the category with the most serious web application security risk; the contributed data indicates that on average, 3.81% of applications tested had one or more Common Weakness Enumerations (CWEs) with more than 318k occurrences of CWEs in this risk category. The 34 CWEs mapped to Broken Access Control had more occurrences in applications than any other category.
The purpose of compiling this list is to offer developers and web application security professionals insight into the most widespread security risks and utilize the findings for their remediation plans and recommendations for how to improve upon their existing security practices, with the goal of minimizing the presence of known risks in their applications.
For remediation planning and assistance, or for more information on these risks – please reach out to our team for assistance.