It’s been almost four years since a major release of the OWASP Top, but a new version is finally here. Let’s take a look at what’s new and what’s changed with the 2021 release and how it might impact application security programs.
Last updated in 2017, the new 2021 OWASP Top 10 list is as follows:
- Broken Access Control
- Cryptographic Failures (Sensitive Data Exposure)
- Injections (including Cross-site Scripting)
- Insecure Design
- Security Misconfigurations
- Vulnerabilities and Outdated Components
- Identification and Authentication Failures
- Software and Data Integrity Failures
- Security Logging and Monitoring Failures
- Server-side Request Forgeries
From Tactical to Strategic
The OWASP Top 10 has historically looked at category names on vulnerability classifications or types. This tactical view has allowed both developers and application security teams to zero in on specific areas of application security, but it doesn’t lend itself to the larger programmatic view required by bigger organizations. With the new release however, the shift in some category names is helping the OWASP Top 10 take a higher-level approach (e.g., examining impact and ability to be exploited).
(Note: The OWASP Top 10 rankings are based on data + surveys so as not to be reliant on any one data source.)
Change is a Coming
For the 2021 update, four of the categories have been renamed. Let’s take a quick look at what they are:
Vulnerable and Outdated Components
Every single modern web application uses third-party code. It’s a fact of life. Back-end or front-end, you have a timeline and limited resources to hit certain milestones and that means leveraging third-party code to help you get there faster. Unfortunately, this also means your third-party supply chain is becoming a growing risk factor.
Nevertheless, if you are developing front-end code or back-end code, analyzing third-party party dependencies and access is a must. I predict that this category will (unfortunately) trend upwards in the coming years.
The name change for this category (previously known as Sensitive Data Exposure) is really important because it refocuses from the outcome (data exposure) to the root cause of data exposure (outdated or lack of cryptography for data protection). It’s wild to think that in the year 2021, with breaches reported alongside regular news, that we continue to see organizations using outdated encryption mechanisms, or worse, none at all.
As number two on the OWASP Top 10 list, this is another growing area of concern. Particularly with more people using and consuming digital experiences each and every day, data protection should be a top priority for anyone that handles customer data.
Identification and Authentication Failures
Roll your own authentication? Nope, not in this day and age. Thankfully, there are plenty of large players that provide authentication services (e.g. Auth0, Okta, Google), which has helped with standards adoption across identity management.
It’s also much easier to to leave the task of securing user identities to those who specialize in it. The increased use of authentication providers has helped to drive threats in this category (previously called Broken Authentication) down as we can see with this release of the OWASP Top 10, as authentication drops five places.
Security Logging and Monitoring Failures
If you can’t see it, you can’t protect it. While it is really hard to test for this category, failure to implement good logging and monitoring across your web applications can directly impact visibility, alerting, and forensic investigations.
Knowing what to log is also as important as setting up logging in the first place. Security operations teams are inundated with noise from existing security tools. Adding more noise to their inbound workflows is not likely to win over any new friends.
Same Name, Slightly Different Game
For the 2021 update, three of the categories remain unchanged in name and scope, but have some pretty significant movement in the overall list rankings. Let’s take a quick look at what they are:
Broken Access Control
Claiming the number one spot for this release of the OWASP Top 10. This category moved up five positions since the last release which shows the severity of the impact broken access control has had to date.
APIs are particularly susceptible to abuse in this category, particular when the front-end is decoupled. Many developers focus on the business logic in their API endpoints and often forget that they are required to always ensure the person, er token, accessing the API is both authenticated and authorized to use it.
The previous king (or queen) of the OWASP Top 10, injection moves down the list to number three. Additionally, this category now includes cross-site scripting (XSS), which makes sense given that XSS is a type of injection.
While this category is still a huge problem for web applications as evidenced by its ranking, the awareness around input sanitization has grown significantly too in the last few years. As security tools become smarter and developers begin to go through more security training, we will hopefully see this category pushed down even further in years to come.
Unlike the two previous categories, the security misconfigurations category doesn’t make a huge shift with this release. Additionally, this category now includes XML External Entities (XXE) as part of a larger focus on “misconfigurations” in general.
With the adoption of cloud computing and massive consumption of SaaS applications, we have seen time and again how misconfigurations leave openings for attackers. Amazon S3 buckets have been a particular favorite in years past when it comes to abusing cloud services with poor configuration settings.
While there is a whole new set of security tools that deal with this category, the collaboration between security teams and the administrators of these business services is critical if we want to see real change.
New Kids on the Block
For the 2021 update, three of the categories are completely new. The introduction of these categories show a shift in how web application threats are changing and what we need to focus on to stay ahead of the curve. Let’s take a quick look at what they are:
Our first new category with this year’s release, insecure design is a focus specifically on design flaws. The cybersecurity industry has been preaching “shift left” for a while now to bring security closer to the development cycle, however there is a lack of resources to support this movement.
The ability to conduct threat modeling, availability of resources that describe secure design patterns, and the use of broad scale reference architectures are all key parts of making shift left a reality. While some of these components exist for the back-end of applications, there is a lot of catching up that still needs to happen when it comes to the client-side, serverless, and APIs.
Software and Data Integrity Failures
Our second new category is all about integrity and also includes the consolidation of insecure deserialization. As mentioned earlier in the vulnerable and outdated components category, the use of third-party code is on the rise like never before. Being able to verify the integrity of code, both hosted and integrated locally, is critical to securing your supply chain.
Using a robust CI/CD pipeline can help identify integrity issues early on, but security audits of your third-party supply chain will need to be done as well. Don’t forget that this includes third-party supply chain mapping and security audits of both front-end code and back-end code independently.
Server-side Request Forgery (SSRF)
The final new category is centered around a specific type of attack—one that is seen more commonly today. Modern web applications are complex and their overall architectures are even harder to decipher. With the inclusion of so many libraries and frameworks the ability to fetch a URL can occur in several different ways, making it difficult to map out every resource that might be called when a page is loaded.
Luckily, you can follow several common best practices, like sanitizing all user input or disabling HTTP redirections, to help mitigate this risk.
The Never Ending To-Do List
Anyone involved with application security will tell you that the job is a never ending to-do list. Every release, every patch, and every new feature require security testing and validation to ensure both the application and the business are continuously protected. Sure, security tools make some of the tasks and testing easier, but there is no silver bullet when it comes to security.
One of the key learnings we have found from talking to different organizations is that the best security programs require a deep partnership across different areas of the business. Developers, marketing, legal… everyone has a different set of requirements when it comes to building web applications, but only by working hand-in-hand and understanding how the pieces fit together can security really thrive.
I think we will continue to see these categories shift around over the coming years as new technologies like serverless, CDNs, and progress web applications permeate larger organizations. Web applications are no longer just a client and server relationship; client-side security, global availability, and privacy are all new challenges that businesses will face. The OWASP Top 10 is a great starting point, but will not cover all scenarios.