The Open Web Application Security Project) is a non-profit organization, not affiliated with any corporation or consortium, that provides unbiased, factual, cost-effective information about computer and Internet applications. Its purpose is to assist individuals, businesses and institutions in discovering and using trusted software. The OWASP Top 10 is not an official document or standard, but rather a widely adopted awareness document used to categorize the severity of cybersecurity vulnerabilities and is currently evaluated for bug reports by many bug bounty platforms and enterprise security teams. This list summarizes the ten most likely, common, and dangerous vulnerabilities of web applications, which can help IT companies and development teams to standardize application development and testing processes and improve the security of web products.
The OWASP Top 10 list for 2021 is:
A01 Broken Access Control
A02 Cryptographic Failures
A03 Injection
A04 Insecure Design
A05 Security Misconfiguration
A06 Vulnerable and Outdated Components
A07 Identification and Authentication Failures
A08 Software and Data Integrity Failures
A09 Security Logging and Monitoring Failures
A10 Server Side Request Forgery (SSRF)
The open web application security project (OWASP) provides a ranking of the top 10 most critical web applications security risks. The list is based on a consensus among security experts from around the world. These risks are based from the frequency of discovered security risk defects, the severity of vulnerabilities and potential impacts. The report is meant to help developers and web application security professionals with real security risks so they can use them in their security practices.
OWASP puts out a new list every few years and new on the list in 2021 are insecure design(A04), software and data integrity failures (A08) and server-side request forgery(A10).
The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications. Companies should adopt this document and start the process of ensuring that their web applications minimize these risks. Using the OWASP Top 10 is perhaps the most effective first step towards changing the software development culture within your organization into one that produces more secure code.
The OWASP top 10 is a standard for developers and web application security that represents a broad consensus about the most important security risks to web applications. This was recently updated in 2021 which saw a reordering of their top 10 vulnerabilities.
I found the methodology used to determine the top ten interesting. Specifically, how they blend a data driven approach with emerging trends. This approach balances the time it takes to codify vulnerabilities into tools with what researchers are seeing in the field. Prior to reading this, I hadn’t considered the lag between a newly identified issue and how that’s incorporated into automated tools. By integrating anecdotal accounts via their community survey, OWASP represents the current threat landscape better than only using established data sets.
I found it very interesting how the OWASP top 10 relies on the incidence rate of vulnerabilities rather than frequency data. Raw tooling and human-assisted tooling (HaT) scan for vulnerabilities and will attempt to find every instance of a specific vulnerability on a system or set of systems. Tool-assisted human (TaH) tooling searches for a broader range of different vulnerability types rather than looking for the number of times they are identified on a system or set of systems. The latter process around identifying vulnerabilities has proven to be more effective because hackers really only need to take advantage of one vulnerability in order to gain unauthorized access. It’s more helpful to understand the exact types of vulnerabilities you are susceptible to rather than the total number instances you have on your network of a specific vulnerability.
The reading explained The OWASP Top 10 is primarily an awareness document. However, this has not stopped organizations using it as a de facto industry AppSec standard since its inception in 2003.
There are recommendations for when it is appropriate to use the OWASP Top 10, the graph showed us the categories are Use Case,OWASP Top 10 2021 and OWASP Application Security Verification Standard.
The Top 10 for 2021 is as follows
A01:2021-Broken Access
A02:2021-Cryptographic Failures
A03:2021-Injection
A04:2021-Insecure Design i
A05:2021-Security Misconfiguration
A06:2021-Vulnerable and Outdated Components
A07:2021-Identification and Authentication Failures
A08:2021-Software and Data Integrity Failures
A09:2021-Security Logging and Monitoring Failures
A10:2021-Server-Side Request Forgery
I agree that organizations have been using OWASP as an AppSec standard since the rankings have started. The rankings are determined by the frequency of discovered security defects, the severity of the vulnerabilities, and the magnitude of their potential impacts. I believe that the OWASP is important because the list serves as such an important web application development standard for the world’s largest organizations.
The essential takeaway from The Open Web Application Security Project (OWASP). OWASP is an open-source application security community whose goal is to improve software security for organizations as de facto standard. OWASP is a non profit organization and not affiliated to any enterprise or consortium. The Security Vulnerability List Guidelines list the most critical application security risks, helping developers better protect the applications they design and deploy not to have injection, broken authentication, sensitive data exposure, broken access control, security misconfiguration, or cross-site scripting, insecure deserialization.
The Open Web Application Security Project Top 10 is a non-profit organization that is dedicated to improving the security of software. They provide a ranking of the top 10 most critical web application security risks. The rankings are determined on a consensus amongst security experts from all over the world. The rankings are determined by the frequency of discovered security defects, the severity of the vulnerabilities, and the magnitude of their potential impacts. The OWASP is important because the list serves as an internal web application development standard for the world’s largest organizations.
Looking over the OWASP top ten is a great tool to utilize when designing applications or websites. I find it most interesting to see how certain items have changed in ranking from the previous iteration (2017) to the most current ranking (2021). Specifically, it’s interesting to note the new categories that appear in the list. For example, number four on the top ten list is “Insecure Design”. This is the risk related to design flaws. This category was not present on the previous list in 2017. Also while looking at the list you see “Broken Access Control”, which was fifth in the previous ranking, move all the way up to first in this iteration of the top ten. This is what is considered the most serious web application risk and the 34 common weakness enumerations mapped to Broken Access Control were the most of any other category. Seeing how much this list changes order from each iteration demonstrates just how fluid these categories are in order of importance and why one must keep current with the newest version. If utilizing a previous ranking then the order of importance for the risk categories will be incorrect, with some categories even missing.
The Open Web Application Security Project (OWASP) top 10 is a list of the top 10 most critical web application security risks. Every few years, OWASP surveys security experts around the world and uses the results of that survey as well as results from application security research to update the top 10 list. OWASP takes this approach to building the top 10 rather than strictly using hard data from application security researchers in order to present an up-to-date list. Because research on application security is a lengthy process, results may not give a truly current snapshot of the threat environment.
I found the notes on updating data collection for a more accurate view of the threat environment to be interesting. When collecting data on vulnerability occurrences, OWASP now finds the percentage of the application population that had at least one occurrence of the vulnerability. Each application with one or more instances of the vulnerability adds one to the count regardless of how many instances the application had. OWASP counts frequency/occurrences this way because the total number of instances reported for each app often gives skewed results. Automatic, technology-based tools used to find specific vulnerabilities will find and report many or all instances in the application. A security professional reviewing the application for vulnerabilities may find different vulnerabilities but likely wouldn’t make record of every single instance of the same vulnerability.
Technology develops every year and trends vary in threats mechanisms and security challenges. When new technologies become standard to use in organizations, then bad actors are also attracted to take advantage. OWASP Top 10 is an awareness document for application and developer security. The OWASP report shows the broken access control moves top from 5th position to the category with critical web application security risk, Cryptographic failure shift up one position and acquired 2nd position in 2021. It leads to sensitive data exposure and compromised system security.
.
Insecure design is a new category in 2021, as many new developments of applications are not tested properly for vulnerability, Security against the various threats cause mistakes in the early phase of development, and since there is a timeline the project is released in a production environment without proper security. Once the popularity of the application wanes, one by one the vulnerabilities are discovered. Insecurity misconfiguration is not high change, but it is stable in the category with one up position cause of highly misconfiguration software work today. The next position is taken by vulnerable and outdated components, various components are outdated to fight new threats based on hardware and firmware. The next category is authentication failure, software, and data integrity failures are a new category due to lack of integrity in software and data management.
Security logging and monitoring failure moved up in 2 positions in 2021. This category shows a failure to challenge tests in the condition of visibility incident alert and forensics challenges. SSRF has been newly added in this threat category of community server. Every year based on new technology popularity new ways of threat are found and vary each year and present new challenges to security experts.
I found the OWASP top 10 to be interesting but it also lead me to wonder if companies only focus on the current flavor of cyber attacks instead of produce best hardening around. Something that becomes a trend in the cyber-industry is that attackers know what is currently vulnerable on the system because experts are overlooking areas based on data. By looking at the top 10, we can see that most of the exploits that are less popular lose up on the list – or a new vulnerability appears entirely such as server-side request forgery. Although, this might be from how the organization organized data compared to 2017 – with Security Misconfiguration including XXE.
As the best standard, I think looking at the most popular attacks is an easy way of setting up a general response for your system – but organizations should still apply best practices in all areas before the new trend hits the industry.
You raise a good question about if companies tend to focus on the current flavor of cyber attacks. I would think they do and I agree with you that they should make sure to harden as much of the system as possible
OWASP Top 10 in 2021 provides the top 10 most critical web application security risks. These risks are ranked based on the frequency of discovered security defects, the severity of the vulnerabilities, and the magnitude of their potential impacts. These risks in 2021 are:
1. Broken Access Control
2. Cryptographic Failures (Sensitive Data Exposure)
3. Injection
4. Insecure Design
5. Security Misconfiguration
6. Vulnerable and Outdated Components
7. Identification and Authentication Failures
8. Software and Data Integrity Failures (Insecure Deserialization)
9. Security Logging and Monitoring Failures (Insufficient Logging and Monitoring)
10. Server-Side Request Forgery
From this reading, it stood out to be that Injection remained the TOP web application security risk from 2013 and 2017. I learned that injection flaws are very prevalent as almost any source of data can be an injection vector. They typically occur when an attacker sends hostile or untrusted data to an interpreter as part of a command or query. While the business impact depends on the needs of the application and data, generally, it can result in data loss, corruption, or disclosure to unauthorized parties, loss of accountability, or denial of access. I am interested to see what the next iteration of the list looks like.
It is definitely noteworthy that Injection remained at the top of the list for that period of time. Because of this I found it to be significant that in the latest ranking that Injection fell down to number three in the ranking. It seems like this latest top ten list has shaken up a lot of the typical order the list has been in the previous few years. The categories are changing and it’s important to note what new threats are present and the order in which OWASP thinks are the most serious risks.
OSWAP is an awareness document. It’s designated to organizations or anyone who want to adopt application security standard. It’s a verifiable, testable application and can be used in all parts of the secure development life cycle. There are 10 essential categories used by Application researchers to find new vulnerabilities and new ways to test them for them. The 10 categories are: broken access control, cryptographic failure, injection, insecure design, security misconfiguration, vulnerability and outdated components, identification and authentication failures, software and data integrity failures, security logging and monitoring failures, and server side request forgery.
I was so surprised how broken access control comes before cryptography and has the most serious risk. I see how necessary it is to have strong physical security before even thinking of buying of software.
I agree with you that strong physical security is very important. Physical security and cybersecurity have become so intertwined that it is impossible to talk about one without the other, making it imperative for IT to be involved in the product selection process.
The Open Web Application Security Project (OWASP) is a non-profit foundation that produces a wide array of articles, tools, technology, etc. in the realm of web application security. The OWASP Top 10 is one of these specific documents which they update on a fairly regular basis in order to rank & provide remediation on the top 10 most critical web application security risks which are collaborated on by top cyber security experts all over the planet. The latest installment included a variety of changes, with ‘Broken Access Control’ moving from the fifth position in 2017 to the most serious web app security risk in 2021. The previous number 1, ‘Injection’, saw its ranking move down to the 3rd position. On top of some other movements across the rankings, three new categories also made the top 10, ‘Insecure Design’, ‘Software & Data Integrity Failures’, & ‘Server-Side Request Forgery (SSRF)’.
OWASP stands for (Open Web Application Security Project). This reading was a top 10 for application security risks from 2021. They usually release this list every 3 or 4 years. The last one was released in 2017. I believe this is a security document, but not necessarily a security standard. What they consider in their top 10 may not be the reader’s organization’s same sentiment. This documentation admits in their methodology section that; ”This installment of the Top 10 is more data-driven than ever but not blindly data-driven.” There are 10 categories; of the 10.. there are 8 categories that was derived from data that was contributed from a variety of organizations. The other 2 categories was derived from a survey. Furthermore they continue with an explanation of how the categories were structured along with an ample amount of other information and insight.
I said in my previous post that OWASP is more so a security document and not necessarily a security standard. The reading suggests that to use it as a coding or testing standard is the bare minimum or just a starting point. Furthermore, it is difficult to use it as a standard because they document application security risks and not easily testable issues. I like that they made a chart which outlines their recommendations for when it’s appropriate to use OWASP Top 10. They gave 3 sections; use case, OWASP Top 10 2021, and OWASP Application Security Verification Standard. They also reiterate that the ASVS should be used instead when there is a need to adopt an application security standard.
OWASP aims to help organizations have trusted APIs for their applications. This open community organization provides application security tools and standards, researched-based security controls and libraries, and more hints on application security such as cheat sheets, events, and training. This reading specifically addressed the major changes for the Top 10 over the four years time period. As OWASP explains, based on the research teams’ findings and data collected, new methodology and root cause ranking has changed. Root cause objectives include broken access control, cryptographic failures, injection, insecure design, security misconfiguration, vulnerable and outdated components, identification and authentication failures, software and data integrity failures, security logging and monitoring failures, server-side requests forgery.
I think it’s interesting how broken access control jumped over to the top of the list over time. It should highlight the importance of making sure to limit user access by giving them only the point access that they need. Vulnerabilities such as violation of least privilege or denial by fault, accessing API with missing access controls, the elevation of privilege, and metadata manipulation should be taken care of by the organizations as OWASP recommends.
Yangyuan Lin says
The Open Web Application Security Project) is a non-profit organization, not affiliated with any corporation or consortium, that provides unbiased, factual, cost-effective information about computer and Internet applications. Its purpose is to assist individuals, businesses and institutions in discovering and using trusted software. The OWASP Top 10 is not an official document or standard, but rather a widely adopted awareness document used to categorize the severity of cybersecurity vulnerabilities and is currently evaluated for bug reports by many bug bounty platforms and enterprise security teams. This list summarizes the ten most likely, common, and dangerous vulnerabilities of web applications, which can help IT companies and development teams to standardize application development and testing processes and improve the security of web products.
The OWASP Top 10 list for 2021 is:
A01 Broken Access Control
A02 Cryptographic Failures
A03 Injection
A04 Insecure Design
A05 Security Misconfiguration
A06 Vulnerable and Outdated Components
A07 Identification and Authentication Failures
A08 Software and Data Integrity Failures
A09 Security Logging and Monitoring Failures
A10 Server Side Request Forgery (SSRF)
Corey Arana says
The open web application security project (OWASP) provides a ranking of the top 10 most critical web applications security risks. The list is based on a consensus among security experts from around the world. These risks are based from the frequency of discovered security risk defects, the severity of vulnerabilities and potential impacts. The report is meant to help developers and web application security professionals with real security risks so they can use them in their security practices.
OWASP puts out a new list every few years and new on the list in 2021 are insecure design(A04), software and data integrity failures (A08) and server-side request forgery(A10).
Shubham Patil says
The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications. Companies should adopt this document and start the process of ensuring that their web applications minimize these risks. Using the OWASP Top 10 is perhaps the most effective first step towards changing the software development culture within your organization into one that produces more secure code.
Matthew Bryan says
The OWASP top 10 is a standard for developers and web application security that represents a broad consensus about the most important security risks to web applications. This was recently updated in 2021 which saw a reordering of their top 10 vulnerabilities.
I found the methodology used to determine the top ten interesting. Specifically, how they blend a data driven approach with emerging trends. This approach balances the time it takes to codify vulnerabilities into tools with what researchers are seeing in the field. Prior to reading this, I hadn’t considered the lag between a newly identified issue and how that’s incorporated into automated tools. By integrating anecdotal accounts via their community survey, OWASP represents the current threat landscape better than only using established data sets.
Bryan Garrahan says
I found it very interesting how the OWASP top 10 relies on the incidence rate of vulnerabilities rather than frequency data. Raw tooling and human-assisted tooling (HaT) scan for vulnerabilities and will attempt to find every instance of a specific vulnerability on a system or set of systems. Tool-assisted human (TaH) tooling searches for a broader range of different vulnerability types rather than looking for the number of times they are identified on a system or set of systems. The latter process around identifying vulnerabilities has proven to be more effective because hackers really only need to take advantage of one vulnerability in order to gain unauthorized access. It’s more helpful to understand the exact types of vulnerabilities you are susceptible to rather than the total number instances you have on your network of a specific vulnerability.
Jason Burwell says
The reading explained The OWASP Top 10 is primarily an awareness document. However, this has not stopped organizations using it as a de facto industry AppSec standard since its inception in 2003.
There are recommendations for when it is appropriate to use the OWASP Top 10, the graph showed us the categories are Use Case,OWASP Top 10 2021 and OWASP Application Security Verification Standard.
The Top 10 for 2021 is as follows
A01:2021-Broken Access
A02:2021-Cryptographic Failures
A03:2021-Injection
A04:2021-Insecure Design i
A05:2021-Security Misconfiguration
A06:2021-Vulnerable and Outdated Components
A07:2021-Identification and Authentication Failures
A08:2021-Software and Data Integrity Failures
A09:2021-Security Logging and Monitoring Failures
A10:2021-Server-Side Request Forgery
Michael Galdo says
Hi Jason,
I agree that organizations have been using OWASP as an AppSec standard since the rankings have started. The rankings are determined by the frequency of discovered security defects, the severity of the vulnerabilities, and the magnitude of their potential impacts. I believe that the OWASP is important because the list serves as such an important web application development standard for the world’s largest organizations.
Oluwaseun Soyomokun says
The essential takeaway from The Open Web Application Security Project (OWASP). OWASP is an open-source application security community whose goal is to improve software security for organizations as de facto standard. OWASP is a non profit organization and not affiliated to any enterprise or consortium. The Security Vulnerability List Guidelines list the most critical application security risks, helping developers better protect the applications they design and deploy not to have injection, broken authentication, sensitive data exposure, broken access control, security misconfiguration, or cross-site scripting, insecure deserialization.
Michael Galdo says
The Open Web Application Security Project Top 10 is a non-profit organization that is dedicated to improving the security of software. They provide a ranking of the top 10 most critical web application security risks. The rankings are determined on a consensus amongst security experts from all over the world. The rankings are determined by the frequency of discovered security defects, the severity of the vulnerabilities, and the magnitude of their potential impacts. The OWASP is important because the list serves as an internal web application development standard for the world’s largest organizations.
Ryan Trapp says
Looking over the OWASP top ten is a great tool to utilize when designing applications or websites. I find it most interesting to see how certain items have changed in ranking from the previous iteration (2017) to the most current ranking (2021). Specifically, it’s interesting to note the new categories that appear in the list. For example, number four on the top ten list is “Insecure Design”. This is the risk related to design flaws. This category was not present on the previous list in 2017. Also while looking at the list you see “Broken Access Control”, which was fifth in the previous ranking, move all the way up to first in this iteration of the top ten. This is what is considered the most serious web application risk and the 34 common weakness enumerations mapped to Broken Access Control were the most of any other category. Seeing how much this list changes order from each iteration demonstrates just how fluid these categories are in order of importance and why one must keep current with the newest version. If utilizing a previous ranking then the order of importance for the risk categories will be incorrect, with some categories even missing.
Amelia Safirstein says
The Open Web Application Security Project (OWASP) top 10 is a list of the top 10 most critical web application security risks. Every few years, OWASP surveys security experts around the world and uses the results of that survey as well as results from application security research to update the top 10 list. OWASP takes this approach to building the top 10 rather than strictly using hard data from application security researchers in order to present an up-to-date list. Because research on application security is a lengthy process, results may not give a truly current snapshot of the threat environment.
I found the notes on updating data collection for a more accurate view of the threat environment to be interesting. When collecting data on vulnerability occurrences, OWASP now finds the percentage of the application population that had at least one occurrence of the vulnerability. Each application with one or more instances of the vulnerability adds one to the count regardless of how many instances the application had. OWASP counts frequency/occurrences this way because the total number of instances reported for each app often gives skewed results. Automatic, technology-based tools used to find specific vulnerabilities will find and report many or all instances in the application. A security professional reviewing the application for vulnerabilities may find different vulnerabilities but likely wouldn’t make record of every single instance of the same vulnerability.
Mohammed Syed says
Technology develops every year and trends vary in threats mechanisms and security challenges. When new technologies become standard to use in organizations, then bad actors are also attracted to take advantage. OWASP Top 10 is an awareness document for application and developer security. The OWASP report shows the broken access control moves top from 5th position to the category with critical web application security risk, Cryptographic failure shift up one position and acquired 2nd position in 2021. It leads to sensitive data exposure and compromised system security.
.
Insecure design is a new category in 2021, as many new developments of applications are not tested properly for vulnerability, Security against the various threats cause mistakes in the early phase of development, and since there is a timeline the project is released in a production environment without proper security. Once the popularity of the application wanes, one by one the vulnerabilities are discovered. Insecurity misconfiguration is not high change, but it is stable in the category with one up position cause of highly misconfiguration software work today. The next position is taken by vulnerable and outdated components, various components are outdated to fight new threats based on hardware and firmware. The next category is authentication failure, software, and data integrity failures are a new category due to lack of integrity in software and data management.
Security logging and monitoring failure moved up in 2 positions in 2021. This category shows a failure to challenge tests in the condition of visibility incident alert and forensics challenges. SSRF has been newly added in this threat category of community server. Every year based on new technology popularity new ways of threat are found and vary each year and present new challenges to security experts.
Michael Duffy says
I found the OWASP top 10 to be interesting but it also lead me to wonder if companies only focus on the current flavor of cyber attacks instead of produce best hardening around. Something that becomes a trend in the cyber-industry is that attackers know what is currently vulnerable on the system because experts are overlooking areas based on data. By looking at the top 10, we can see that most of the exploits that are less popular lose up on the list – or a new vulnerability appears entirely such as server-side request forgery. Although, this might be from how the organization organized data compared to 2017 – with Security Misconfiguration including XXE.
As the best standard, I think looking at the most popular attacks is an easy way of setting up a general response for your system – but organizations should still apply best practices in all areas before the new trend hits the industry.
Jason Burwell says
Hello Michael,
You raise a good question about if companies tend to focus on the current flavor of cyber attacks. I would think they do and I agree with you that they should make sure to harden as much of the system as possible
Hang Nu Song Nguyen says
OWASP Top 10 in 2021 provides the top 10 most critical web application security risks. These risks are ranked based on the frequency of discovered security defects, the severity of the vulnerabilities, and the magnitude of their potential impacts. These risks in 2021 are:
1. Broken Access Control
2. Cryptographic Failures (Sensitive Data Exposure)
3. Injection
4. Insecure Design
5. Security Misconfiguration
6. Vulnerable and Outdated Components
7. Identification and Authentication Failures
8. Software and Data Integrity Failures (Insecure Deserialization)
9. Security Logging and Monitoring Failures (Insufficient Logging and Monitoring)
10. Server-Side Request Forgery
Elizabeth Gutierrez says
From this reading, it stood out to be that Injection remained the TOP web application security risk from 2013 and 2017. I learned that injection flaws are very prevalent as almost any source of data can be an injection vector. They typically occur when an attacker sends hostile or untrusted data to an interpreter as part of a command or query. While the business impact depends on the needs of the application and data, generally, it can result in data loss, corruption, or disclosure to unauthorized parties, loss of accountability, or denial of access. I am interested to see what the next iteration of the list looks like.
Ryan Trapp says
Hi Liz,
It is definitely noteworthy that Injection remained at the top of the list for that period of time. Because of this I found it to be significant that in the latest ranking that Injection fell down to number three in the ranking. It seems like this latest top ten list has shaken up a lot of the typical order the list has been in the previous few years. The categories are changing and it’s important to note what new threats are present and the order in which OWASP thinks are the most serious risks.
Ornella Rhyne says
OSWAP is an awareness document. It’s designated to organizations or anyone who want to adopt application security standard. It’s a verifiable, testable application and can be used in all parts of the secure development life cycle. There are 10 essential categories used by Application researchers to find new vulnerabilities and new ways to test them for them. The 10 categories are: broken access control, cryptographic failure, injection, insecure design, security misconfiguration, vulnerability and outdated components, identification and authentication failures, software and data integrity failures, security logging and monitoring failures, and server side request forgery.
I was so surprised how broken access control comes before cryptography and has the most serious risk. I see how necessary it is to have strong physical security before even thinking of buying of software.
Yangyuan Lin says
Hi Ornella,
I agree with you that strong physical security is very important. Physical security and cybersecurity have become so intertwined that it is impossible to talk about one without the other, making it imperative for IT to be involved in the product selection process.
Alexander William Knoll says
The Open Web Application Security Project (OWASP) is a non-profit foundation that produces a wide array of articles, tools, technology, etc. in the realm of web application security. The OWASP Top 10 is one of these specific documents which they update on a fairly regular basis in order to rank & provide remediation on the top 10 most critical web application security risks which are collaborated on by top cyber security experts all over the planet. The latest installment included a variety of changes, with ‘Broken Access Control’ moving from the fifth position in 2017 to the most serious web app security risk in 2021. The previous number 1, ‘Injection’, saw its ranking move down to the 3rd position. On top of some other movements across the rankings, three new categories also made the top 10, ‘Insecure Design’, ‘Software & Data Integrity Failures’, & ‘Server-Side Request Forgery (SSRF)’.
Joshua Moses says
OWASP stands for (Open Web Application Security Project). This reading was a top 10 for application security risks from 2021. They usually release this list every 3 or 4 years. The last one was released in 2017. I believe this is a security document, but not necessarily a security standard. What they consider in their top 10 may not be the reader’s organization’s same sentiment. This documentation admits in their methodology section that; ”This installment of the Top 10 is more data-driven than ever but not blindly data-driven.” There are 10 categories; of the 10.. there are 8 categories that was derived from data that was contributed from a variety of organizations. The other 2 categories was derived from a survey. Furthermore they continue with an explanation of how the categories were structured along with an ample amount of other information and insight.
Joshua Moses says
I said in my previous post that OWASP is more so a security document and not necessarily a security standard. The reading suggests that to use it as a coding or testing standard is the bare minimum or just a starting point. Furthermore, it is difficult to use it as a standard because they document application security risks and not easily testable issues. I like that they made a chart which outlines their recommendations for when it’s appropriate to use OWASP Top 10. They gave 3 sections; use case, OWASP Top 10 2021, and OWASP Application Security Verification Standard. They also reiterate that the ASVS should be used instead when there is a need to adopt an application security standard.
Miray Bolukbasi says
OWASP aims to help organizations have trusted APIs for their applications. This open community organization provides application security tools and standards, researched-based security controls and libraries, and more hints on application security such as cheat sheets, events, and training. This reading specifically addressed the major changes for the Top 10 over the four years time period. As OWASP explains, based on the research teams’ findings and data collected, new methodology and root cause ranking has changed. Root cause objectives include broken access control, cryptographic failures, injection, insecure design, security misconfiguration, vulnerable and outdated components, identification and authentication failures, software and data integrity failures, security logging and monitoring failures, server-side requests forgery.
I think it’s interesting how broken access control jumped over to the top of the list over time. It should highlight the importance of making sure to limit user access by giving them only the point access that they need. Vulnerabilities such as violation of least privilege or denial by fault, accessing API with missing access controls, the elevation of privilege, and metadata manipulation should be taken care of by the organizations as OWASP recommends.