New OWASP Top 10: Incorrect access restrictions greatest threat to web apps

Published by: MRT

Published on:

New OWASP Top 10: Incorrect access restrictions greatest threat to web apps

According to the Open Web Application Security Project (OWASP), a non-profit organization of web developers dedicated to the fight against security gaps in the network, insufficient access restrictions are currently the greatest threat to web applications. This emerges from a draft for the OWASP Top 10 for 2021, which has now been submitted to interested developers of the project. The last OWASP Top 10 comes from 2017 – at that time (as in 2013) injection gaps were at the top of the list. Incorrect access restrictions were already in second place in 2017 and 2013.

The OWASP is regarded by web developers and software project managers as a good source of information on security problems in web apps and how to avoid them. The project is committed to improving the developers’ understanding of security gaps and thus increasing the basic quality of software on the Internet. The data on which the top 10 list is based comes from information about security vulnerabilities found in public web software and reported through relevant industry channels. The OWASP also conducts regular surveys of experts who have to deal directly with such gaps. The organization regularly stresses that their information is mostly based on problems that can be found with automated processes – which in turn means that the top 10 tend to lag behind the latest Infosec trends for some time.

It is interesting that injection gaps – for a long time the bread and butter of everyone who deals with securing web apps – have slipped to second place in the new list and have been replaced by both incorrect access restrictions and crypto errors. This coincides with the assessment of the Common Weakness Enumeration (CWE) project, which no longer has code injection gaps in its current top 25 list. So the trend does not only affect software on the Internet.

The OWASP understands incorrect access restrictions to be any type of security gap in which login information is either not requested at all or is requested in a way that can be circumvented or tricked. For cases in which the user is incorrectly identified, there is a separate category (7th place on the list). The OWASP used to refer to the crypto error category as “Disclosure of Sensitive Data” and now covers a broader field. All types of crypto failures are meant, from poorly implemented or carelessly self-made crypto, to errors in the generation of pseudo-random data, to – an eternal classic – insecure passwords that are permanently installed in systems.

Cross-Site Scripting (XSS) gaps, in the previous list at number 7, are now combined with injection gaps at number 3. This year, Server Side Request Forgery (SSRF) joins the list for the first time in 10th place. Two other new additions are the “Insecure design” and “Integrity errors in software or data” categories. The last category is all about uncertain assumptions developers make when entering critical data, software updates, or the development and release workflow of their software.

Rang OWASP Top 10 2021 2017

1

Broken Access Controls

5

2

Cryptographic Failures

3

3

Injection

1

4

Insecure Design

Newcomer

5

Security Misconfiguration

6

6

Vulnerable and Outdated Components

9

7

Identification and Authentification Failures

2

8

Software and Data Integrity Failures

Newcomer

9

Security Logging and Monitoring Failures

10

10

Server Side Request Forgery (SSRF)

Newcomer

Although the OWASP Top 10 for 2021 is not yet official, it will probably take a few more months to publish it, so it’s worth taking a look at now the full list. In view of the ubiquitous security gaps in web applications, both developers and project managers can never be sufficiently aware of such vulnerabilities. However, one should be aware that the information from the OWASP can only provide a rough guideline. Above all, they serve to sensitize IT experts to frequently occurring problems. Software that is regularly checked for the ten problems in the top 10 may be more secure, but that does not mean that it is free from vulnerabilities. The OWASP warns again and again against misusing the top 10 as a simple checklist to tick off – which in the past probably happened again and again, especially in middle management circles in larger organizations.

If you want deeper insights into the details of the security gaps in the OWASP Top 10, please the heise Events online workshop by Tobias Glemser on September 22nd and 23rd suggested. The workshop is limited to 20 people to allow enough space for participants’ questions. Glemser is a BSI-certified penetration tester and managing director of the security company secuvera and, as Chapterlead of the German Chapter of the Open Web Application Security Project (OWASP), co-translator of the OWASP Top 10.


(fab)

Article Source

Disclaimer: This article is generated from the feed and not edited by our team.