OWASP Top 10 Risks and Its Prevention

A non-profit organisation dedicated to enhancing software security is called OWASP (Open Web Application Security Project). In the area of web application security, it is an online community that creates freely downloadable publications, approaches, documentation, tools, and technologies. It offers open and free materials. Basically, the OWASP Top 10 Risks is a list of the top ten threats to Web Application Security, created to inform users about the most common security risks and weaknesses that can result in data loss or compromise.

OWASP Top 10 Risks in Web Applications Security

The OWASP Top Risks 10 for 2021 includes three new categories, four categories with renamed or expanded scopes, and some consolidation.

1. Broken Access Control (A01:2021). Broken access control, a flaw that allows an attacker to access user accounts, rose from number 5 to number 1 on the list for 2021. In this situation, the attacker may use the system as a user or an administrator.
   1. Example: A primary key in an application can be updated, and when that key is changed to the record of another user, that user's account can be accessed or amended.
   2. Solution: You may easily identify cross-site request forgery or unsafe data storage by using an interactive application security testing (IAST) solution like Seeker®. Additionally, it identifies any flawed or absent JSON Web Token handling code. As a manual add-on to IAST efforts, penetration testing can assist in identifying unauthorized access controls. To establish trust boundaries for data access, modifications to architecture and design can be necessary.
2. Cryptographic Failures (A02:2021). Sensitive data exposure, which was previously listed in position 3, has been renamed as cryptographic failures to more effectively reflect its role as a cause rather than a symptom. When significant data like a social security number is compromised and stored or transmitted, there are cryptographic failures.
   1. Example: As an illustration, a financial organization that neglects to effectively safeguard its sensitive data makes itself a prime candidate for identity theft and credit card fraud.
   2. Solution: Seeker's checkers can scan for both weak or hard-coded cryptographic keys and insufficient encryption strength before identifying any flawed or dangerous cryptographic methods. The open-source software (OSS) cryptographic techniques are exposed by the Black Duck® cryptography module so that their robustness can be further assessed. Black Duck software composition analysis (SCA) and Coverity® static application security testing (SAST) both provide checkers that can offer a "point in time" snapshot at the code and component levels.
3. Injection (A03:2021). Cross-site scripting is now included in this category, therefore injection drops from number one to number three. In essence, a code injection happens when erroneous data is delivered into a web application by an attacker to force the application to perform an action it was not intended to.
   1. Example: When creating a weak SQL call, an application leverages untrusted data.
   2. Solution: By integrating SAST and IAST tools into your continuous integration / continuous delivery (CI/CD) pipeline, you can find injection problems both in static code and dynamically while testing an application in runtime. During the various test phases, modern application security testing (AST) technologies like Seeker can assist in safeguarding the software application and look for different injection attacks (in addition to SQL injections).
   3. It can recognize NoSQL injections, commands, LDAP injections, template injections, and log injections, for instance. With its proprietary Active Verification engine, Seeker is the only tool to offer a brand-new, specialized checker made exclusively to uncover Log4 Shell vulnerabilities, ascertain how Log4J is configured, test how it actually operates, and validate (or invalidate) those findings.
4. Insecure Design (A04:2021). The danger associated with design faults is the topic of the new category of "insecure design" for 2021. Threat modeling, secure design patterns and principles, and reference architectures are insufficient as enterprises continue to "shift left."
   1. Example: For parties of more than 15 persons, a chain of movie theatres that offers discounts for group reservations requests a deposit. Attackers use threat modeling to examine this flow to determine if they may reserve hundreds of seats at different theatres around the chain, resulting in thousands of dollars in lost revenue.
   2. Solution: In extremely complex web, cloud, and microservices-based applications, Seeker IAST identifies vulnerabilities and exposes all incoming and outgoing API, services, and function calls. Any flaws in the app's design are made evident by giving a visual map of the data flow and endpoints involved, which helps with pen testing and threat modeling efforts.
5. Security Misconfiguration (A05:2021). This risk category, which jumps up from the sixth slot, now includes the prior external entities category. Security misconfigurations are configuration flaws or design flaws that arise from a configuration mistake or flaw.
   1. Example: The system is vulnerable to attack since the default account's old password is still active.
   2. Solution: Alternatives like Coverity SAST have a checker that can determine the information that is exposed via an error message. During application runtime testing, dynamic tools such Seeker IAST can find information disclosure and improper HTTP header setups.
6. Vulnerable and Outdated Components (A06:2021). This category, which was formerly at position 9, is moved up to address components that present both known and prospective security vulnerabilities. In contrast to stale or malevolent components, which should be assessed for viability and the danger they may present, components with known vulnerabilities, such as CVEs, should be found and patched.
   1. Example: A development team might not be aware of or comprehend all the components utilized in their program because of the sheer number of components used in the development, and some of those components may be outdated and thus exposed to attack.
   2. Solution: To identify and detect out-of-date and unsafe components in an application, software composition analysis (SCA) tools like Black Duck can be used in conjunction with static analysis and IAST. Together, IAST and SCA are effective in revealing how vulnerable or out-of-date components are actually being used. Together, Seeker IAST and Black Duck SCA discover information such as whether the vulnerable component is currently loaded by the application under test, going beyond simple vulnerability identification. Additionally, users may get a sense of the possible risk that an outdated or malicious component may present by looking at indicators like developer activity, contributor reputation, and version history.
7. Identification and Authentication Failures(A07:2021). This item, which was formerly known as broken authentication, dropped to number 2 and now contains CWEs for identity failures. In particular, improper implementation of operations linked to authentication and session management enables attackers to compromise passwords, keywords, and sessions, which can result in stolen user identity and other things.
   1. Example: A web application, for instance, permits the use of passwords like "password1" that are weak or simple to guess.
   2. Solution: Using multiple factors of authentication can lower the danger of accounts being hacked. Automated static analysis is quite effective at identifying these problems, while manual static analysis can be more robust when assessing unique authentication methods. Coverity A checker that identifies broken authentication vulnerabilities is part of SAST. The Seeker IAST can identify hardcoded passwords and credentials, ineffective authentication, and the omission of crucial authentication processes.
8. Software and Data Integrity Failures (A08:2021). This is a brand-new category for 2021 that concentrates on CI/CD pipelines used without validating integrity, important data changes, and upgrades to software. Insecure deserialization, a deserialization issue that enables an attacker to remotely execute code in the system, is now also covered by this entry.
   1. Example: An application, for instance, exposes itself to vulnerability by deserializing hostile objects supplied by an attacker.
   2. Solution: Penetration testing can confirm the issue and application security tools can help identify deserialization vulnerabilities. Insecure deserialization, unsafe redirects, and any meddling with token access algorithms can all be found with the aid of Seeker IAST.
9. Security Logging and Monitoring Failures (A09:2021). This entry, which was previously known as inadequate logging and monitoring, has moved up from position 10 and has been expanded to cover more failure kinds. A website should regularly undertake logging and monitoring tasks since failing to do so puts it open to more serious compromising activities.
   1. Example: A susceptible program results from the failure to log events that can be audited, such as login attempts, unsuccessful login attempts, and other significant activities.
   2. Solution: Developers can review test logs to find potential flaws and vulnerabilities after doing penetration testing. Unlogged security exceptions can be found with the use of Coverity SAST and Seeker IAST.
10. Server-Side Request Forgery(A10:2021). A server-side request forgery (SSRF), a new category this year, can occur when a web application requests a remote resource without verifying the user-supplied URL. Even when the system is secured by a firewall, VPN, or extra network access control list, an attacker can use this to force the application to submit a tailored request to an unexpected location. Cloud services and the growing complexity of architectures are both contributing to an increase in the severity and frequency of SSRF assaults.
    1. Example: As an illustration, if a network architecture is not segmented, attackers can map out internal networks and ascertain whether internal servers' ports are open or closed using connection results or elapsed time to connect or reject SSRF payload connections.
    2. Solution: One of the more recent AST tools, Seeker, is capable of tracking, monitoring, and detecting SSRF without the need for extra scanning and triaging. Seeker is also capable of detecting any potential SSRF exploits because of its sophisticated instrumentation and agent-based technology.

To conclude, the OWASP Top 10 Risks will facilitate users to understand the most common security threats and provide rules of thumb when it comes to keeping applications safe against known vulnerabilities. Therefore, it is highly recommended to adopt OWASP Top 10 Risks in order to reduce or mitigate security risks associated with applications.

References:

https://www.synopsys.com/glossary/what-is-owasp-top-10.html

https://owasp.org/