The Open Web Application Security Project (aka OWASP) recently announced its latest updates to the venerable OWASP Top Ten list. This publication is meant to bring attention to the most common classes of software-related security issues facing developers and organizations in the hopes of helping them to better plan for and address potential high-severity issues in their codebases. While not specifically an industry standard, it is highly regarded among the security community and is regularly combined with findings from application security vendors and researchers to create a reference point for secure coding practices. The newest edition does make updates to certain conventions but also highlights the consistent issues seen throughout the years, such as injection attacks and insecure components.
Initially notable is the more generalized approach to categorization and naming, with OWASP describing the motivation for these changes as a “focus on the root cause over the symptom.” Given the complexity of modern web applications and software stacks, this new focus is a prudent reminder that focusing solely on the high-level presentation of flaws within complicated vulnerability taxonomies will only go so far in preventing breaches, and that true progress at any scale will only be made by remediations that address the underlying cause of discovered issues.
Supporting this focus is the inclusion of the new category A04:2021 – Insecure Design, bringing attention to the ever-growing need to address vulnerable application architectures and software flaws much earlier in the development process. While there has been considerable discussion about the industry’s need to “shift left” for the past several years, it is apparent that a lack of threat modeling and overall secure design continues to be a major issue for applications of all types. It is nice to see these concerns formally addressed at this level in the broader context of security risk awareness.
The addition of A08:2021 – Software and Data Integrity Failures and the higher ranking for A06:2021 – Vulnerable and Outdated Components both appear to be in a similar vein, further underscoring the need for organizations to prioritize the security controls associated with the development pipeline and surrounding technologies as much as the specifics of the application code itself. The frameworks, software libraries, and other tools that development teams rely on are updated with increasing speed. It is easier than ever for organizations to fall behind on patching and management of these supporting components. These areas will continue to be points of security concern for years to come, and the industry should continue the work of better addressing the role of tooling and pipeline concerns, as well as application threat modeling, within the general scope of security issues across the board.
The movement of A01:2021 – Broken Access Control to the number one position, while hardly a surprise, is reason for concern primarily due to the obstacles associated with detecting issues of this nature. Underlying many access control flaws are fundamental application logic errors, most of which are currently difficult, if not impossible, to discover with automated scanning of any kind. As most companies are unable to have penetration testers examine every release, applications may only undergo thorough manual security audits relatively infrequently, leaving a large footprint of possible flaws whose discovery and remediation times are measured in months, or even years.
Further complexity is introduced as modern web technologies move toward microservice architectures and application containerization, creating a need to test for access control issues related to the nuances of these components as well. While teams may do their best to adhere to a least-privilege model, it quickly becomes more difficult to follow best practice guidelines as additional endpoints and APIs are added and role management becomes more complex. The question now is how application teams will move forward in addressing vulnerabilities of this nature, given the difficulties associated with their discovery and remediation. A greater focus on manual testing of applications to discover logic issues may be required for long-term mitigation of these concerns and the industry will need to continue to innovate around less time-intensive methods of discovering these flaws.
A final point of interest is the new category, A10:2021-Server-Side Request Forgery, as flaws of this type can have outsized impacts and the consequences of successful SSRF attacks often cascade into other areas on the Top 10 list. While OWASP states that this item was included due to feedback from the security community rather than specific scan data or similar findings, this is likely a reflection of how the OWASP Top 10 drives the industry in addressing specific types of risk. It is likely, then, that with this addition to the list, we will see a greater incidence of SSRF flaws in future data sets which support its inclusion in this edition.
While the list is not all-inclusive, it certainly is a good complement to more detailed research such as Veracode’s State of Software Security V11 report, which digs deeper into the pervasiveness of broader threat types based on scans of over 135,000 applications. It also helps to shine a light on the evolving nature of software security issues related to open source adoption. Data shows that roughly 80 percent of new software development is based on open source tooling and frameworks. Understanding the security and compliance implications of these components can better support the software decision-making process and determine which security scanning tools can best support your development teams.
Check out the OWASP Top Ten page for more details on the recent critical security risks to web applications.