OWASP TOP 10 Security Risks — Past and Present
Although the Open Web Application Security Project is known as the security vulnerabilities of web applications, the OWASP TOP 10 title is periodically updated as one of the most popular contents of the cyber security world.
Many security vulnerabilities can occur in web applications for various reasons. Perhaps the design process of the project, perhaps the coding, or perhaps the server-side may cause many security vulnerabilities. The 10 topics we know as OWASP TOP 10 present us the 10 most common and popular security vulnerabilities all over the world.
OWASP, as it is known, is an important portal for the cyber security world called Open Source Foundation for Applications — OWASP Foundation. There is a website where many cyber security experts and people interested in this field follow and share a lot of content. The website even includes the OWASP TOP Ten article; OWASP Foundation
In the article we wrote here, we will examine the 10 most common web security vulnerabilities updated in 2021 in the article published based on OWASP top 10:2021.
What Are the Most Common Web Applications Security Risks?
A01: Abuse Session Management — Broken Access Control:
In 2021, it rises one place from fifth place to first place; 94% of applications tested for some form of broken access control. Abuse login — Lack of incentive to use Strong Passwords — 34 Common Weakness Enumeration (CWE) paired with Access Control showed more recurrence across applications than other categories. Creating simple passwords and breakable security keys and managing these password panels — using passwords that can be easily guessed due to weak password policies.
A02: Cryptographic Failures:
It rises one place to second place in 2021; The category formerly known as Sensitive Data Exposure is updated as it is a root cause rather than a broad symptom. The focus has been directed to encryption errors that often lead to sensitive data leakage or system compromise.
A03: Injection:
He slides into third place. 94% of apps were tested for some form of injection, with the 33 CWEs mapped to this category showing the second most occurrence across apps. Cross-site Scripting is included in this category in this release.
A04: Insecure Design:
It is a new category for 2021 and focuses on risks related to design errors. If we want to move “left” as an industry, this requires greater use of threat modelling, secure design patterns and principles, reference architectures.
A05: Security Settings Error (Security Misconfiguration):
It moves up one place from the 6th place in the previous version to the first place; 90% of applications were tested for some type of configuration error. With a greater shift towards highly configurable software, it’s no surprise that this category is on the rise. The previous XML External Entities (XXE) category is now part of this category.
A06: Vulnerable and Outdated Components:
Previously under “Using Components with Known Vulnerabilities,” this category is ranked #2 in the Top 10 community survey, but has enough data to break into the Top 10 through data analysis. This category rises from 9th place in 2017 and is a known issue that we have difficulty testing and assessing risk. This is the only category that does not contain any Common Vulnerability and Exposures (CVEs) that match the included CWEs, so a default attack and impact weights are included in its scores.
A07: Identification and Authentication Failures:
Formerly known as Broken Authentication, this category moves one place from the second row and now includes CWEs more commonly associated with authentication errors. This category is still an integral part of the Top 10, but the increasing availability of standardized frameworks appears to be helping.
A08: Software and Data Integrity Failures:
It is a new category for 2021 and focuses on integrity errors related to software updates, critical data, and CI/CD pipe failure. It is one of the highest weights from the Common Vulnerability and Exposures/Common Vulnerability Scoring System (CVE/CVSS) data matching the 10 CWEs in this category. Insecure Serialization from 2017 is now part of this broad category.
A09: Security Logging and Monitoring Failures:
Previously known as Insufficient Logging & Monitoring, this category was added from the industry survey (#3), moving up one spot from #10 in the previous version. This category has been expanded to include more types of bugs, is difficult to test for, and is not well represented in CVE/CVSS data. However, errors in this category can directly impact visibility, incident alerts, and forensic science.
A10: Server-Side Request Forgery:
This category added from the top 10 community survey (#1). The data is shown with a relatively low occurrence rate, top-tier test coverage, and superior ratings for Exploit and Impact potential. This category represents a scenario where members of the security community have told us this is important, but it is not currently shown in the data.
What can be done?
The OWASP Top 10 list should actually be analyzed and examined in detail. The project should perhaps be made successful in a more secure and vulnerability-free manner by supporting red team and blue team work.
# Update your application, analyze the codes
# Follow server maintenance, platform analysis and innovations
# Synchronize your databases correctly by updating your encryption algorithms and analyze in detail methods such as insecure or insecure random number generation
# Be alert for XML and data leaks, maintain and review security logs
# Strengthen your security applications such as Authentication, Token systems, password management platforms
# Make your design more secure
To simply summarize web application security in a few steps;
Secure Development Practices:
Security should be considered from the early stages of the application’s development process. It is important to write code in accordance with secure software development principles.
Access Controls and Authentication:
User authentication and access controls must be implemented correctly. Measures such as strong password policies and two-factor authentication should be used.
Data Validation and Cleansing:
Incoming data must be properly validated and cleaned. This protects against injection attacks by blocking unsafe logins.
Firewalls:
Firewalls should be used at the network and application level. This protects against attacks by blocking unknown or unwanted traffic.
Security Updates:
The technology and libraries used in the application should be updated regularly and security patches should be applied quickly.
SSL/TLS Usage:
Using secure communication protocols such as SSL/TLS during data transmission ensures that data is encrypted and transmitted securely.
Session Management Security:
Session management processes must be secure. Session information should be stored securely, not transmitted, and session timeout should be set correctly.
Secure File Handling:
Secure processing and storage of user-uploaded files must be ensured. File upload points should be tested for vulnerabilities.
Monitoring and Logging:
Events occurring on the application should be monitored and logged. This can help detect potential attacks and provide analysis of the reasons behind the incident.
Education and Awareness:
Application developers and users should be trained and made aware of security issues. Security awareness can reduce the risk of creating or exploiting a vulnerability.
Vulnerability Scans and Penetration Tests:
Vulnerability scans and penetration tests should be performed periodically. This can help detect and fix application vulnerabilities.
Quick Response to Problems:
Emergency plans and response processes should be created to provide a rapid response in case of security breaches.
