OWASP updates top 10 list with decades old security risk in #1 spot

3 years ago 385

2021 database shows however acold exertion information has travel and however overmuch enactment is near to do.

owasp-2lists.jpg

OWASP updated its database of the apical 10 bundle information risks for 2021. This illustration illustrates the changes from the 2017 mentation of the list. 

Image: OWASP

Security adept and Veracode CTO Chris Wysopal identified breached entree power arsenic a information hazard successful 1996. OWASP conscionable pushed that bundle information occupation to the archetypal spot successful the 2021 update of its apical 10 list. Despite the longevity of that risk, Wysopal describes the latest list arsenic connected the starring borderline of information champion practices with the accent connected monitoring the bundle proviso concatenation astatine the macro (external APIs and software) and micro levels (libraries).  

"The champion grounds of this is that the highly dilatory moving national authorities is going to clasp vendors accountable for delivering unafraid software," helium said. 

SEE: Expert: Biden's enforcement bid connected cybersecurity is simply a bully commencement toward protecting organizations

He listed NIST's definition of captious software, the mounting of minimum standards for suppliers and IoT and bundle labeling arsenic important elements of President Joe Biden's caller enforcement bid connected bundle security

"These changes marque it truthful that a purchaser of bundle tin easy spot what's been done to unafraid their software," helium said. 

Wysopal describes the enforcement bid arsenic a agelong overdue measurement successful the close absorption that volition fortify the information of national agencies and their bundle proviso chain.  

"As the authorities continues to get much elaborate astir requirements, ratings and labeling, it should stock that accusation with the backstage assemblage to guarantee that ALL bundle is held to the aforesaid standards," helium said.

In the OWASP Top 10: 2021, Broken Access Control moved into archetypal place, up from 5th spot connected the 2017 Top 10 list. Also, determination are 3 caller categories, 4 categories with naming and scoping changes and immoderate consolidation. 

  1. Broken entree control
  2. Cryptographic nonaccomplishment (previously known arsenic delicate information exposure)
  3. Injection
  4. Insecure plan
  5. Security misconfiguration
  6. Vulnerable and outdated components
  7. Identification and authentication failures
  8. Software and information integrity failures
  9. Security logging and monitoring failures (previously insufficient logging and monitoring)
  10. Server-side petition forgery

OWASP notes that immoderate of the class names person changed to absorption connected the basal origin implicit the symptom.

How to construe the caller list

Sean Wright, main exertion information technologist astatine Immersive Labs, said the updated database shows however acold appsec has travel and however acold the enactment inactive needs to go. 

"Half of the categories successful the caller database person appeared successful each azygous database since 2003 successful immoderate signifier oregon form, truthful 18 years of technological developments, experiments and learnings has not been capable to remedy these flaws," helium said. "This means we request to alteration our attack to exertion security."

Wright said adopting a hybrid human/technology attack to resolving these vulnerabilities volition amended exertion information and, hopefully, resoluteness immoderate of the astir impactful issues from the past 2 decades. 

John Andrews, vice president of Global Channel astatine Invicti, said that the caller OWASP Top 10 database takes a overmuch broader presumption than erstwhile editions, which sends a wide connection that uncovering and fixing vulnerabilities is lone 1 portion of modern exertion security.

Andrews said caller categories similar Insecure Design and Software and Data Integrity Failures reenforce 2 large manufacture trends: the determination to execute information investigating from the aboriginal stages of improvement (shift left) and the caller absorption connected bundle proviso concatenation security.

"The flip broadside of this caller big-picture attack is that, dissimilar aboriginal editions, the Top 10 for 2021 is nary longer a elemental vulnerability investigating checklist, which whitethorn bounds its usefulness arsenic an unofficial but wide utilized exertion information standard," helium said.

Prioritizing fixes for the apical 10 risks

Injection issues and misconfiguration tin usually beryllium fixed with a fewer lines of code, but flaws similar Insecure Design tin instrumentality days oregon weeks to fix, Wysopal said.

"This is wherefore it is important to drawback immoderate flaws astatine the plan signifier oregon earlier successful improvement erstwhile they tin beryllium fixed overmuch much easily," helium said.

Wysopal would prioritize fixing #1 breached entree control, #3 injection, and #6 susceptible and outdated components due to the fact that those flaws are immoderate of the easiest for attackers to find and exploit.

DevOps and pipeline automation should thrust the improvement of information arsenic codification (SaC), compliance arsenic codification (CaC), and infrastructure arsenic codification (IaC), Wysopal said, arsenic the adjacent improvement appsec.

"In a nutshell, everything that tin beryllium codification volition beryllium code, meaning changes volition beryllium introduced lone erstwhile caller codification is pushed into production," helium said. "This improvement volition dramatically easiness the load connected improvement teams to thrust adoption of information tools, making bundle information 2nd nature."

Wysopal predicts that this attack to bundle volition region friction from the improvement process, little costs and amended compliance with regulations.

Cybersecurity Insider Newsletter

Strengthen your organization's IT information defenses by keeping abreast of the latest cybersecurity news, solutions, and champion practices. Delivered Tuesdays and Thursdays

Sign up today

Also spot

Read Entire Article