New Top 10 OWASP: Incorrect Access Restrictions Are The Biggest Threat To Web Applications

According to the Open Web Application Security Project (OWASP), a nonprofit organization of web developers dedicated to addressing network security vulnerabilities, insufficient access restrictions are currently the biggest threat to web applications. . This emerges from a draft for the Top 10 OWASP for 2021, which has now been submitted to developers interested in the project. The last OWASP Top 10 was in 2017 – at that time (as in 2013) injection shortcomings were at the top of the list. Incorrect access restrictions were already in second place in 2017 and 2013.

OWASP is viewed by web developers and software project managers as a good source of information about security issues in web applications and how to avoid them. The project is committed to improving developers’ understanding of security vulnerabilities and thereby increasing the basic quality of software on the Internet. The data on which the Top 10 list is based comes from information on security vulnerabilities found in public web software and reported through relevant industry channels. OWASP also conducts regular surveys of experts who need to deal directly with such shortcomings. The organization regularly points out that their information is primarily based on issues that can be detected with automated processes, which means the top 10 tend to lag behind the latest Infosec trends for some time.

Interestingly, injection loopholes – for a long time the bread and butter of anyone dealing with securing web applications – have slipped to second place in the new list and have been replaced at once. by incorrect access restrictions and cryptographic errors. This coincides with the evaluation of the Common Weakness Enumeration (CWE) project, which no longer has code injection gaps in its current top 25 list. So the trend is not just affecting software on the Internet.

The OWASP understands that improper access restrictions are any type of security hole in which login information is not requested at all or is requested in a way that can be circumvented or deceived. For cases where the user is incorrectly identified, there is a separate category (7th place on the list). OWASP previously referred to the category of cryptographic errors as “sensitive data disclosure” and now covers a broader area. All types of cryptographic failures are targeted, from poorly implemented or carelessly done cryptography, to errors in the generation of pseudo-random data, to – an eternal classic – insecure passwords that are permanently installed. in systems.

Cross-Site Scripting (XSS) shortcomings, in the previous list at number 7, are now combined with the injection shortcomings at number 3. This year, Server Side Request Forgery (SSRF) joins the list for the first time at the 10th place. Two other new additions are the “Insecure Design” and “Software or Data Integrity Errors” categories. The final category relates to the uncertain assumptions developers make when entering critical data, software updates, or the workflow of developing and releasing their software.

Rang Top 10 OWASP 2021 2017

1

Broken access controls

5

2

Cryptographic failures

3

3

Injection

1

4

Insecure design

Newcomer

5

Incorrect security configuration

6

6

Vulnerable and obsolete components

9

7

Identification and authentication failures

2

8

Software and data integrity failures

Newcomer

9

Security logging and monitoring failures

ten

ten

Server-side request forgery (SSRF)

Newcomer

While the OWASP Top 10 for 2021 is not yet official, it will likely take a few more months to release, so it’s worth taking a look now. the full list. Given the pervasive security holes in web applications, developers and project managers can never be sufficiently aware of these vulnerabilities. However, be aware that information from OWASP can only provide a rough guide. Most importantly, they serve to educate IT experts about issues that arise frequently. Software that is regularly checked for the top ten issues may be more secure, but that doesn’t mean it’s free of vulnerabilities. OWASP repeatedly warns against misusing the top 10 as a simple checklist – which has probably happened over and over again in the past, especially in middle management circles in the past. large organizations.

If you would like more in-depth information on the details of security vulnerabilities in the Top 10 OWASP, please heise Events online workshop by Tobias Glemser on September 22 and 23 suggested. The workshop is limited to 20 people in order to leave enough room for questions from participants. Glemser is a BSI certified penetration tester and managing director of security company secuvera and, as the leader of the German chapter of the Open Web Application Security Project (OWASP), co-translator of the Top 10 OWASP.


(Great)

Disclaimer: This article is generated from the feed and is not edited by our team.


Source link

Comments are closed.