What’s Changed with the OWASP Top 10 2021?

With over half of the OWASP Top 10 having undergone change, the 2021 edition is significantly different than its 2017 predecessor. Here  we  will cover what you need to know, how it will impact your organization and the services we provide. 

The Open Web Application Security Project (OWASP) is an online community that produces freely available articles, methodologies, documentation, tools, and technologies in the field of web application security. It is hard to have a conversation about web app security without mentioning OWASP as they provide a common ground between penetration testers and developers to collaborate on the discovery and remediation of vulnerabilities.   

As the premier advocate for web application security for over 20 years, OWASP has kept pace with the times and rightfully expanded its charter to include mobile apps and APIs. OWASP’s reach is global, having chapters and conferences around the world and input from the top names and firms in the web application security community.  

OWASP’s Top 10 has become a pseudo standard and reference in nearly every vulnerability report. To keep pace with ever-changing threats, they are committed to refreshing their Top 10 every three to four years. Powering the Top 10 is the wisdom and data from the security community, distilling it down to a shortlist of vital topics for anyone looking to securely develop applications. Now that the 2021 version has been officially released, it is only a matter of time before it is fully adopted and the common language for talking about web app security vulnerabilities.   

Broken Access Control becomes #1  

With a major upgrade from #5 to the top risk to web applications today, in the category of A01:2021-Broken Access Control. Broken Access Control encapsulates flaws as straightforward as the unintended and unauthorized disclosure of sensitive information to an attacker, to the more-sophisticated and harder-to-exploit Cross-Site Request Forgery (CSRF).   

Flaws in Access Control can be especially insidious as they are difficult for automated security scans to detect. These flaws arise as a difference in what the application developer intends for the application to do versus what else is actually possible. This can be hard to model and requires a concentrated effort by someone familiar with the application’s inner workings to properly assess.  

Cryptography failures are increasingly prevalent   

Now #2 in the Top 10 is A02:2021-Cryptographic Failures, up to one from #3. This category may seem new and that’s because it is, at least in the name. Previously this category was known as A3:2017-Sensitive Data Exposure. Its name was changed in order to be more specific and to highlight the common root cause of these exposures. Included in this category now are topics as abstract as insufficient entropy and broken algorithms to the more concrete, including the use of a hard-coded password or a complete lack of encryption in the first place.  

Injection is down, but still a top 3  

Another interesting shift is the downgrade that Injection experienced going from #1 to #3, even despite absorbing the entirety of A7:2017-Cross-Site Scripting (XSS). Now titled A03:2021-Injection, this category includes injections of all flavors including SQL, NoSQL, OS command, Object Relational Mapping (ORM), LDAP, and Expression Language (EL) or Object Graph Navigation Library (OGNL). But in the end, these are all similar at their core and are good candidates for well-integrated security testing strategies.  

Insecure Design is the top new concern  

The first entirely new category for 2021 is A04:2021-Insecure Design. This category was created to address flaws in software that stem from its design itself. Any flaws introduced here condemn it from the very beginning. One reason this category deserves such emphasis is that flaws introduced this early in the Software Development Life Cycle (SDLC) become more difficult and expensive to remedy over time. Highlighting this category so prominently brings awareness to proactive measures such as threat modeling and secure design principles that can be adopted early in the software’s lifecycle.  

Security Misconfiguration levels up  

Security Misconfiguration moved up one position and also absorbed A4:2017-XML External Entities (XXE). With highly complex software having an overwhelming capacity to be configured, vulnerabilities can arise simply due to deployment, even if the software arguably is not flawed itself. The absorption of XXE into A05:2021-Security Misconfiguration makes sense as that type of vulnerability is commonly remedied through securely configuring the XML parser.  

Third-party component risk gains traction  

Now coming in at #6 with a huge upgrade is A06:2021-Vulnerable and Outdated Components. This may sound familiar as it is the new name for what was previously A9:2017-Using Components with Known Vulnerabilities, which ranked #9 in 2017. A rise in three positions signals the importance of recognizing and managing the risk our applications assume when (not if) we bring in outside code.  

Authentication is still important but drops 5 positions  

Displaying the largest drop in rank is A07:2021-Identification and Authentication Failures, down from #2 in 2017 to #7. OWASP attributes this large success to the increased availability of standardized frameworks. Using a standardized framework that provides authentication functionality out of the box reduces the need to engineer your own, helping you avoid all the possible pitfalls along the way.  

Software and Data Integrity becomes a priority  

Coming in at #8 is an entirely new entrant, A08:2021-Software and Data Integrity Failures. This category was created to bring attention to a critical missing link—integrity checking—in processes such as software updates and in CI/CD pipelines. This helps us take a step back to look at the overall operational picture, reinforcing that software isn’t created and deployed in a vacuum. Errors here, right before the finish line of completed software’s final step, can still have a devastating impact. Also, now absorbed within this category is A8:2017-Insecure Deserialization, previously of the same rank. This makes sense as insecure deserialization has to do with data tampering.  

Don’t forget logging and monitoring  

Continuing the emphasis on the operational aspects surrounding software is the upgrade from #10 to #9 of A09:2021-Security Logging and Monitoring Failures. This comes at the urging of the polled community. This category had a slightly different name before as A10:2017-Insufficient Logging & Monitoring, and this is because it has now been expanded to include more types of failures. While these types of failures do not map cleanly to CVEs and CVSS scores like traditional vulnerabilities, they are important nonetheless because they can cause problems for security response and investigative teams during and after a compromise.   

Continual monitoring, validation, secure storage, archiving, and retention of critical system logs are all essential for compliance and security purposes but are often extremely labor-intensive when performed in-house. MegaplanIT’s SOCaaS ensures organizations are protected at all times from cyber threats by the latest cutting-edge security technologies, maintained by highly skilled and experienced security practitioners. Based out of our state-of-the-art SOC in Scottsdale, Arizona, our SOCaaS service is one part of a wider service offering that can meet the specific security and compliance needs of your organization, with monitoring 24/7/365. 

Server-Side Request Forgery is a burgeoning problem  

Making its debut in the OWASP Top 10 is A10:2021-Server-Side Request Forgery. SSRF in short is the ability of an attacker to misuse your server-side application to access other, unauthorized resources. What is interesting about the addition of SSRF to the Top 10 is that doing so is refreshingly proactive. The community seems to be anticipating this category’s prevalence even before the data shows it. This anticipation has led to good signals including above-average testing coverage as well as a sobering typical calculation of its exploitability and impact metrics.  Source: https://owasp.org/Top10/  

As you can see, a lot changed between 2017 and 2021. The release of the new Top 10 coincides with OWASP’s 20th anniversary, and with that level of maturity takes into account both data and input from the security community. You can rely on MegaplanIT’s full suite of security services and experts to help you navigate these changes and more affecting your critical applications.  

How MegaplanIT can help protect you from OWASP Top 10 Vulnerabilities:

As we near the end of 2021, have you had a chance to review the changes that were made to the OWASP Top 10? Items like Third-Party Components, Broken Access Control, and Cryptography failures have gone up on the list, while Authentication has dropped 5 positions, just to name a few highlights. As OWASP continues to mature year after year with the input of the security community, it is crucial that you are keeping your systems and processes up to date. MegaplanIT can help protect your business from the Top 10 Vulnerabilities through things like Logging and Monitoring, Vulnerability Scanning, Penetration Testing, Architecture Review, and perhaps the implementation of a SOAR Tool. Before we close out the year, make sure that you have these buttoned up and as always, our team of experts are available and ready to support you at all times.

Log Management 

Let us become your partner in solving log management challenges with the latest solutions. We continually evaluate our logging sources throughout the day and validate this information with your team each month during our managed security service review meeting. We help coordinate every aspect of logging for your organization, so you can trust your logs will be securely stored, readily accessible, and retained for the specific amount of time required for compliance. 

View Service >

SOAR Solution 

With automated alert contextualization provided via a combination of proprietary and open-source intelligence feeds, MegaplanIT’s security team can rapidly triage and drill down on suspicious activity to identify malicious actors in your environment. MegaplanIT’s SOAR Capabilities can cut your current incident response time down from days to minutes! With our hands-on security management, you can improve your security infrastructure which will result in Maximizing your ROI.

View Service >

Vulnerability Scanning  

Powerful vulnerability scanning uses a combination of automated systems and dedicated hunting to identify entry points and vulnerable systems that might otherwise be missed by evaluating computers, computer systems, networks, and/or applications for weaknesses that could lead to outside infiltration or security breaches. MegaplanIT consultants scour your company’s websites and IT infrastructure to locate vulnerabilities, gaps, and potential penetration points. After a thorough evaluation of the current security level of your organization’s Internet services and externally facing systems, our specialists will educate your team about any weaknesses uncovered and provide a detailed roadmap for remediation. 

View Service >

Web App Pen Testing  

Website Application Penetration Tests are designed to evaluate the security of any browser or network-based application by simulating attacks from malicious sources like malware, spyware, and cybercriminals. MegaplanIT experts use proprietary tools and techniques to uncover any vulnerabilities present before they can be exploited. Once testing is complete, we produce a comprehensive report that documents testing results, describes any issues identified, and provides specific recommendations for quick and efficient remediation. 

View Service >