OWASP Top 10 2021
Recently OWASP released a peer review draft of top 10 vulnerabilities, introducing three new members in the list.
Lets take a brief overview:
OWASP Top 10 2021 list:
A01 : 2021- Broken Access Control
A02 : 2021- Cryptographic Failures
A03 : 2021- Injection
A04 : 2021- Insecure Design [NEW]
A05 : 2021- Security Misconfiguration
A06 : 2021- Vulnerable and outdated components
A07 : 2021- Identification & Authentication Failures
A08 : 2021- Software & Data Integrity Failures [NEW]
A09 : 2021- Security Logging & Monitoring Failures
A10 : 2021- Server Side Request Forgery [NEW]
Lets check in short what these vulnerabilities are:
A01: 2021- Broken Access Control:
According to 2017 list this vulnerability was at fifth position. As per the stats, 94% applications were tested for some form of broken access control. Access control is nothing but to apply certain constraints on ‘ who can perform certain actions or access resources that they have requested. It basically depends on authentication and session management. Broken access control vulnerabilities exist when a user can can perform an action or access the resources that they are not supposed to be able to access.
A02: 2021- Cryptographic Failures:
Cryptographic failure was previously known as Sensitive Data Exposure and was at third position in the 2017 list. The major focus here is on the cryptographic errors which lead to sensitive data exposure. Sensitive data is the confidential data which needs to be protected from people with malicious intent. Sensitive data is majorly exposed when the organization fails to secure their data and this mainly happens when the cryptography techniques used, fail to secure the data and are easily cracked by intruders.
A03: 2021- Injection:
In the 2017 list, Injection was at the first position. Injection is the act of sending untrusted user data to the web application as a part of a command or a query. Cross-Site Scripting (XSS) is included in this category as per the 2021 list.
A04: 2021- Insecure Design:
Its a completely new category introduced in the 2021 list. It basically focuses on issues related to design of the web applications. While building the product, the vendors may add some features which provide an opportunity for the hacker to break into the system. To overcome this, implementing secure architecture models, design patterns and principles is very important.
A05: 2021- Security Misconfiguration:
In the 2017 list this vulnerability was at 6th position. This vulnerability arises when a system component or a software is misconfigured, thereby giving the attackers an opportunity to break through the system. It majorly takes place when an organization fails to implement the standard secure configuration for a system or a network.
A06: 2021- Vulnerable and outdated components:
As per the 2017 list, this vulnerability was at 9th position and previously it was called as ‘ Using components with known vulnerabilities ’. At times it happens that system uses some of the components like system softwares or libraries which are outdated or can be easily cracked by the attackers. If a vulnerable or outdated component is exploited by an attacker, then it becomes easy for him to damage the complete system.
A07: 2021- Identification & Authentication Failures:
This vulnerability was previously known as ‘Broken Authentication’. It basically refers to weakness in two areas: session management & credential management. It occurs when the attackers exploit to impersonate legitimate users online. This happens when attackers are successful in compromising passwords, keys or session tokens, user account information, and other details to assume user identities.
A08: 2021- Software and Data Integrity Failures:
This vulnerability is a new category in the 2021 list. Its major focus is on making assumptions related to software updates, critical data, and CI/CD pipelines without verifying integrity.
A09:2021-Security Logging and Monitoring Failures:
It was previously named as Insufficient Logging & Monitoring and was placed at number 10 in the 2017 list. Security event logging and monitoring is a process that organizations perform by examining electronic audit logs for indications that unauthorized security-related activities have been attempted or performed on a system or application that processes, transmits or stores confidential information. Failure in this process makes the system vulnerable
A10:2021-Server-Side Request Forgery:
This vulnerability group is newly added to the 2021 list. Server-side request forgery (also known as SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker’s choosing.
This was a short and crisp overview of the proposed OWASP Top -10 2021.
I hope this was quite informative. For any queries please feel free to connect
LinkedIn
Happy Learning !!
Source : OWASP Foundation | Open Source Foundation for Application Security
