Table of contents
The OWASP (Open Web Application Security Project) Top Ten is a list of the top 10 most critical web application security risks. The list is updated every few years, with the most recent version being the OWASP Top Ten 2021. The current OWASP Top Ten 2021 list is:
- Broken access control vulnerabilities occur when an application does not properly restrict access to resources or functionality based on user roles or permissions.
- Cryptographic failures occur when sensitive data is not properly encrypted or stored securely.
- Injection flaws occur when an application sends untrusted data to an interpreter, which can lead to the unintended execution of malicious code.
- Insecure design is a new category for 2021, with a focus on risks related to design flaws. If we genuinely want to “move left” as an industry, it calls for more use of threat modeling, secure design patterns and principles, and reference architectures.
- Security misconfiguration vulnerabilities occur when an application is not properly configured to protect against attacks, such as default passwords, error messages revealing too much information, and open ports.
- Vulnerable and outdated components occur when an application uses third-party components, such as libraries and frameworks, that have known security vulnerabilities.
- Identification and Authentication flaws occur when an application allows unauthorized users to access sensitive data or functionality.
- Software and Data Integrity Failures is a new category for 2021, focusing on making assumptions related to software updates, critical data, and CI/CD pipelines without verifying integrity. One of the highest weighted impacts from Common Vulnerability and Exposures/Common Vulnerability Scoring System (CVE/CVSS) data mapped to the 10 CWEs in this category. Insecure Deserialization from 2017 is now a part of this larger category.
- Security Logging and Monitoring vulnerabilities occur when an application does not properly log and monitor security events, which can make it difficult to detect and respond to attacks.
- Server-Side Request Forgery is added from the Top 10 community survey (#1). The data shows a relatively low incidence rate with above average testing coverage, along with above-average ratings for Exploit and Impact potential. This category represents the scenario where the security community members are telling us this is important, even though it’s not illustrated in the data at this time.
A02:2017-Broken Authentication and Session Management
A03:2017-Sensitive Data Exposure
A04:2017-XML External Entities (XXE)
A05:2017-Broken Access Control
A07:2017-Cross-Site Scripting (XSS)
A09:2017-Using Components with Known Vulnerabilities
A10:2017-Insufficient Logging and Monitoring
The OWASP Top Ten is part of the cybersecurity field, specifically the web application security subfield. The OWASP Top Ten is a widely recognized list of the most critical web application security risks, and it is regularly updated by a community of security experts from around the world.
Web application security is an essential aspect of cybersecurity, as many cyber attacks involve exploiting vulnerabilities in web applications to gain unauthorized access, steal data, or carry out other malicious activities. Therefore, understanding the OWASP Top Ten and implementing measures to prevent these security risks is crucial for organizations to protect their web applications and ensure that they are not vulnerable to cyber-attacks.
The OWASP Top Ten is an important component of the cybersecurity field, providing guidance on the most critical web application security risks and helping organizations and developers build more secure web applications. Knowing the OWASP Top Ten is critical for programmers and developers to ensure that they build secure applications that protect against the most common and significant web application security risks.