The Open Web Application Security Project (OWASP) produces articles, documentation, methodologies, technologies, and tools in the field of web application security. Since 2003, it has produced the OWASP Top 10; a list of the 10 most critical security concerns for web application security. The list is produced every three to four years with the latest one released September 24, in 2021. OWASP Top 10 2021 is the most data driven list thus far, pulling data from over 500,000 applications provided by many different organizations.
OWASP Top 10 2021
The new OWASP Top 10 lists the following as the most critical security concerns.
- Broken Access Control
- Cryptographic Failures
- Insecure Design
- Security Misconfiguration
- Vulnerable and Outdated Components
- Identification and Authentication Failures
- Software and Data Integrity Failures
- Security Logging and Monitoring Failures
- Server-Side Request Forgery
How OWASP Top 10 2021 Differs from Other OWASP Top 10s
The SolarWinds Orion attack is a notable example of a software and data integrity failure. Even though there were secure build and update integrity processes in place for software development, threat actors were still able to subvert the processes and distribute highly targeted malicious updates to more than 18,000 organizations. Another notable example of a cyber-attack that falls under one of the three new categories is the 2020 attack on Amazon Web Services. SSRF allow hackers to send multiple requests to internal servers that eat up their bandwidth, resulting in a DoS attack. That’s exactly what happened in February 2020 when Amazon experienced a massive DDoS attack targeting an unidentified AWS customer. It was the largest DDoS attack ever recorded.
In addition, several categories were combined with other categories. However, in case you were worried, the removal of certain vulnerabilities from the list does not reflect a drop in the removed vulnerabilities but rather a re-categorization into broader vulnerability themes, more similar to MITRE ATT&CK. For example, “cross-site scripting” was combined with “injection”, the “XML external entities” category is now part of the “security misconfigurations” category, and “insecure deserialization” is included in the larger category “software, and data integrity failures”. The sad truth is that attackers are evolving faster than we can keep pace, thus requiring OWASP to broaden their classifications.
Finally, several categories were renamed so that they would more accurately reflect the types of vulnerabilities, focusing on root causes rather symptoms. The “broken authentication” category, for example, was renamed to “identification and authentication failures”, and now includes common weakness enumerations (CWEs) that are more related to identification failures.
Previous Lists Still Relevant
Despite the recent update and changes in categories, however, older OWASP Top 10 lists are still relevant – including the original OWASP list from 2003. Many of the items from earlier OWASP Top 10s can still be found on the 2021 Top 10 list even if they are packaged a little differently.
Implications of the new OWASP Top 10
As an awareness document that represents a broad consensus about the most critical security risks to web applications, their impacts, and countermeasures, organizations looking to maintain a robust cybersecurity posture adopt the OWASP Top 10 as a process for minimizing known risks. The list is used as a guide for developing, purchasing, and maintaining safe software applications.
In addition, Security Operations Centers (SOC) use the Top 10 OWASP list to maintain awareness and cyber competency regarding the looming threats to websites and web-based applications as well as a guide for learning how to defend their organization. On average, companies use 765 different web applications in their business operations, many of which are vulnerable to attack. Knowing the security risks in these web applications is critical to their detection, prevention, and mitigation.
Cyberbit Prepares Your SOC Team Analysts for OWASP Vulnerabilities
While having the right security tools and technology for your organization’s SOC team is crucial to a robust cyber defense and security posture, it’s not enough. Your SOC team must also be equipped with the knowledge, skills, experience needed for identifying and understanding the risks posed by OWASP vulnerabilities as well as know how to use those tools and technologies to mount a swift response. The Cyberbit platform provide a learning path where SOC analysts can experience OWASP vulnerabilities on vulnerable web servers, websites, and web applications, giving them a real example of their impact and a pathway to develop and practice the skills to remediate them. With the knowledge gained from the labs, analysts can then use the cyber range included on Cyberbit to test and further sharpen their OWASP analysis, detection, investigation, and mitigation skills, gaining hands-on experience with different security tools, playbooks, and processes critical to defensive techniques.
Cyberbit OWASP Blue Team and Red Team labs and range exercises:
|RED LAB||BLUE LAB|
|Broken Access Control: OWASP Broken Access Control||Security Misconfiguration: S3 Misconfiguration – AWS Cloud|
|Cryptographic Failures: OWASP Sensitive Data Exposure||Security Logging and Monitoring Failures: Splunk Investigation – Web Traffic Analysis|
|Injection: Cross the Site – XSS|
|Security Misconfiguration: OWASP – Security Misconfiguration|
|Identification and Authentication Failures – OWASP – Broken Authentication|
|LIVE-FIRE RANGE EXERCISES||LIVE-FIRE RANGE EXERCISES|
|Injection: XX Cookie Stealer||Injection: CSS Keylogging Attack – AWS Cloud|
|Injection: Customer Data Exfiltration||Injection: SQLi Domain Hijacking|
|Vulnerable and Outdated Components: Exploit the Plugin||Injection: Killer SQLi|
|Software and Data Integrity Failures: WordPress Blue Bad Plugin|
|Server-Side Request Forgery: Manipulate Data Via SSRF – AWS Cloud|
|Vulnerable and Outdated Components: WordPress Blue Bad Plugin|
Improving Your Web Application Security with OWASP Top 10
The threats posed by OWASP vulnerabilities are widespread and their impact can be severe. They are also easy to detect and exploit. This makes the OWASP list foundational to the skills your SOC team needs to build. After all, threat actors are going to go after your web applications whether or not your SOC team understands their risks. By giving your SOC analysts an opportunity to develop and practice their remediation skills against OWASP vulnerabilities, you will strengthen the cyber security posture and resilience of your organization.