Understanding OWASP: The OWASP top 10 & how it works

OWASP stands for the Open Web Application Security Project. It is a non-profit organization dedicated to enhancing the security of software. It follows an “open community” concept, implying that anybody can join and contribute to OWASP-related online discussions, projects, and other activities.

The OWASP guarantees that its offerings, including anything from online tools and videos to forums and events, are free and readily available through its website.

What is the OWASP top 10?

The OWASP Top 10 ranks the top 10 most critical online application security threats, alongside the necessary corrective advice.

The report was created via a consensus among security professionals worldwide, and it draws on the enormous expertise and experience of the OWASP open community contributors.

To rank risks, one uses the recurrence of disclosed security flaws, the severity of the found vulnerabilities, and the extent of their potential repercussions.

The study aims to provide insight into the most common security risks so that developers and web application security professionals may incorporate the research’s findings and suggestions into their security procedures, thus mitigating the presence of known hazards in their applications.

In simple terms, OWASP has been producing a concise list of the top ten OWASP Vulnerabilities in the cybersecurity industry. This list is curated and contributed by top cybersecurity professionals worldwide, with its first edition published in 2003.

Why is the OWASP top 10 important?

The OWASP top 10 provides the most prevalent cybersecurity risks and the remediation of these problems.

This research project ensures that the vulnerabilities reported by OWASP allow companies to meet compliance and provide secure code within their systems and organizations.

The OWASP recommends the top 10 as a document of awareness for all organizations and incorporates the findings into their (Software Development Life Cycles) for added security.

The OWASP top 10 – 2021

In the 2021 version of the OWASP top 10, 3 new categories were introduced for web security vulnerabilities, and 4 categories had naming and scope changes. The changes can be viewed in the infographic below:

Top 10 OWASP vulnerabilities 2021

1. Broken Access Control

Access control maintains policy by preventing users from acting beyond the scope of their specified permissions. Failures generally result in unauthorized information disclosure, data alteration or destruction, or the performance of a business function beyond the user’s capabilities.

Because of a lack of access control, attackers can acquire access to user accounts and masquerade as users or administrators, and regular users can gain unexpected elevated functions. Robust access methods ensure that each role has distinct and distinct privileges.

Resolving Broken Access Control:

• Deny access by default, except for public resources.
• Create powerful access control techniques for reusing across the software.
• Disable server directory listing and avoid storing sensitive data in the root directory. 
• After logging out, validate JWT tokens.

2. Cryptographic Failures

Many web services and APIs do not use strong encryption to protect sensitive data. Attackers may steal or alter such vulnerable data to commit credit card fraud, identity theft, or other crimes.

With a contemporary (and properly configured) encryption technique, sensitive data must be encrypted both at rest and in transit with a modern (and properly configured) encryption technique.

Cryptographic Failures, formerly known as Sensitive Data Exposure, protect data in transit and at rest. Passwords, credit card info, health records, personal information, and other sensitive information are examples.

It is especially critical for firms subject to PCI Data Security Standards (PCI DSS) or data privacy laws such as the EU General Data Protection Regulation (GDPR).

Resolving Cryptographic Failures:

• Determine sensitive data and implement suitable security procedures.
• Store sensitive data only when necessary; otherwise, delete sensitive data and utilize tokenization or truncation.
• Encrypt any sensitive data at rest using robust encryption techniques, protocols, and keys.
• Secure protocols such as TLS and HTTP HSTS can be used to encrypt data in transit.
• For sensitive data, disable caching.
• Passwords should be stored using strong, salted hashing methods such as Argon2, scrypt, and bcrypt.

3. Injection

SQL, NoSQL, OS, and LDAP injection vulnerabilities occur when an interpreter receives untrusted data as part of a command or query. The attacker’s hostile data can lead to the interpreter performing unwanted commands or accessing data without authorization.

An injection vulnerability in a web app allows attackers to pass malicious data to an interpreter, which causes the data to be compiled and executed on the server.

Prevention of Injection Attacks:

• Use a secure API that does not require the use of an interpreter.
• Use server-side input validation that is positive or “whitelisted”.
• Special characters must be escaped.
• Use LIMIT and other SQL controls within queries to prevent mass record disclosure in the event of SQL injection.

4. Insecure Design

Pre-coding tasks are essential for the development of secure software. Security requirements and threats should be gathered throughout the design phase of a development life cycle, and development time should be allocated to address these requirements.

As the product evolves, the team should verify assumptions and conditions for expected failure flows to ensure they remain correct and desirable. Failure to do so will allow attackers to obtain critical information while also failing to foresee innovative attack paths.

Insecure design is a class of flaws caused by absent or inefficient security mechanisms. Some applications are not designed with security in mind. Others have a secure concept, but errors in implementation can lead to exploitable vulnerabilities.

An unsafe design, by definition, cannot be rectified with good implementation or configuration. This is due to a lack of basic security mechanisms capable of successfully protecting against significant threats.

Preventing Insecure Design:

• Create a safe software development lifecycle (SSDLC).
• Use application security measures from the beginning of program development.
• Create a library of secure design patterns needed to develop new apps.
• Use threat modeling to create critical features such as authentication and access control.
• Incorporate security issues and controls into all user stories.

5. Security Misconfiguration

Software is just as secure as we make it. Ad hoc setup standards might result in default accounts remaining in place, open cloud storage, incorrect HTTP headers, and expansive error messages revealing sensitive data.

All operating systems, frameworks, libraries, and programs must not only be securely configured but must also be patched/updated on a regular basis.

Security misconfiguration is a lack of application stack security hardening. This can involve incorrectly configuring cloud service rights, enabling or installing unnecessary functionality, and using default admin accounts or passwords.

This now includes XML External Entities (XXE), which were previously classified as a separate OWASP category.

Preventing Security Misconfiguration:

• Create an application hardening procedure that is quick and simple to implement.
• Configure development, QA, and production in the same way (with different credentials).
• Configure all systems to be as simple as possible, with no unnecessary features or components.
• Apply patches and security warnings to configurations on a regular basis.
• Create an automated procedure for validating secure setups in all environments.

6. Vulnerable and Outdated Components

For example, libraries, frameworks, and other software modules execute with the same privileges as the application. An attack that takes advantage of weak components can result in significant data loss or server takeover.

Applications and APIs that use components with known vulnerabilities may weaken application security and enable a variety of attacks and consequences.

Vulnerable and Outdated Components, formerly known as “Using Components with Known Vulnerabilities,” refer to vulnerabilities caused by unsupported or outdated software.

Anyone who produces or uses an application without understanding its core components, versions, or whether they have been updated is likely to become a victim of vulnerability.

Preventing Vulnerable and Outdated Components:

• One should remove unused dependencies, features, components, and files from applications.
• Using software composition analysis (SCA) tools, keep track of components and their versions on both the client and server sides.
• Scan libraries and their dependencies on a regular basis for insecure components.
• Use only official components and prefer signed packages.
• Remediate vulnerabilities as soon as possible; delete impacted components or install a virtual patch.

7. Identification and Authentication Failures

Application functions linked to authentication and session management are frequently handled poorly, allowing attackers to compromise passwords, keys, or session tokens or exploit other implementation defects to temporarily or permanently assume other users’ identities.

Identification and Authentication Failures, formerly known as Broken Authentication, now cover security issues relating to user identities. Confirming and validating user identities and implementing secure session management are crucial for protecting against various exploits and attacks.

Preventing Identification and Authentication Failures:

• Set up multi-factor authentication.
• Do not use default credentials when deploying systems.
• See if you can find a list of the top 10,000 worst passwords.
• For Memorized Secrets, follow the rules in NIST 800-63 B Section 5.1.1.
• Enhance the security of all authentication-related procedures, such as registration and credential recovery.
• Limit or postpone failed login attempts.

8. Software and Data Integrity Failures

Codes and data integrity & infrastructure that do not guard against integrity violations cause failure in software. One such example is when an application relies on plugins, libraries, or modules from untrusted repositories or content delivery networks (CDNs).

Unauthorized access, malicious code, or system compromise can all occur due to an unsecured deployment process.

Finally, many programs now have auto-update technology, which downloads updates without proper integrity checking and applies them to previously trusted applications.

Attackers could potentially distribute and run their own updates on all installations.

Code and infrastructure are prone to integrity breaches in software and data integrity failures. This includes software updates, sensitive data alterations, and CI/CD pipeline changes made without validation.

Unauthorized access, the introduction of malware, and other significant vulnerabilities can all result from an unsecured CI/CD pipeline.

There is widespread worry about programs that receive automated updates. In several instances, attackers breached the supply chain and developed their own malicious patches. 

Thousands of businesses were hacked as a result of malicious patches being downloaded and applied to previously trusted software without integrity checking.

Preventing Software and Data Integrity Failures:

• Use digital signatures or similar technologies to ensure that software or data is authentic.
• Ensure that libraries and dependencies, such as npm or maven, are from reliable repositories.
• Create a process for reviewing code and configuration changes.
• Check your CI/CD pipeline’s configuration and make sure that access constraints are in place.

9. Security Logging and Monitoring Failures

Inadequate logging and monitoring and a lack of or inefficient integration with incident response enable attackers to continue attacking systems, maintain persistence, pivot to other systems, and modify, take, or delete data.

Most breach studies suggest that it takes more than 200 days to notice a breach, which third parties often find rather than internal processes or monitoring.

Monitoring and logging of security incidents Failures, formerly known as “Inadequate Logging and Monitoring,” are flaws in an application’s capacity to detect and respond to security concerns. Breach detection is impossible without logging and monitoring.

Failures in this category have ramifications for visibility, alerting, and forensics.

Security Logging and Monitoring Failure Prevention:

• Makes sure to document login, access control, and server-side input validation
• Make sure logs provide enough context to detect suspicious conduct and allow for in-depth forensic investigation.
• Makes sure that logs are in a readable format to any log management software.
• Take precautions to keep intruders from tampering with log data.

10. Server-Side Request Forgery

A server-side request forgery (SSRF) fault occurs when a web application gets a remote resource without validating the user-supplied URL.

It enables an attacker to force an application to submit a crafted request to an unexpected destination even when protected by a firewall, VPN, or other network access control list (ACL).

Server-Side Request Forgery Prevention:

• Avoid accepting URLs in client inputs, and filter inputs only if absolutely necessary.
• To lessen the impact, isolate any remote resource access capability on a different network.
• To prevent undesired Internet traffic, use “deny by default” firewall settings.
• Make use of an affirmative “allow list” that includes the URL schema, port, and destination.
• Turn off HTTP redirections.
• Never give raw responses to clients.

What’s next?

Now you’ve got a fair share of ideas about what OWASP is and how you can use the top 10 OWASP vulnerabilities to secure your organization.

We designed Cyvatar platform to keep startups and SMBs safe from online vulnerabilities. Our budget-friendly plans are for organizations of all sizes. You can try it risk-free if you can’t wait to see how Cyvatar secures your organization from cyber-attacks.