The Open Web Application Security Project (OWASP) announced a new category list of the Top 10 web application security risks. This update is the first one since 2017; we covered the 2017 OWASP Top 10 in our previous post. More than ever, the OWASP Top 10 of 2021 is a security awareness document that tries to address all aspects of today’s web security needs. It is particularly valuable to all developers, especially those that develop, manager, or operate web applications and web application environments.
The OWASP Top 10 has been a tool for software developers and vendors since 2003. However, things are looking a little different in 2021.
In this blog post, we address what changed, why it changed, and how to integrate the new OWASP Top 10 2021 into your daily practice.
The NEW OWASP Top 10 2021
OWASP has always positioned the Top 10 as a security awareness document that highlights security risks to consider and avoid, rather than a list of specific issues to find and fix. The 2021 iteration further underscores this emphasis, with new categories that intentionally shift the focus away from low-level vulnerabilities.
The new OWASP Top 10 was created the same way as previous editions by categorizing security flaws into ten categories. Here is a breakdown of what changed:
A01 : 2021: “Broken Access Control”
This category rises from number five on the list. Broken Access Control experienced more incidents in applications than in other categories
A02 : 2021: “Cryptographic Failures”
This category jumps to spot two and replaces the “Sensitive Data Exposure” category. The renewed focus here is on cryptography failures, which frequently result in compromise or exposure.
A03 : 2021: “Injections”
This category moves to the third position. Injection had the second most occurrences in applications. OWASP also adds cross-site scripting (XSS) to this category.
A04 : 2021: “Insecure Designs”
This category is a new one for 2021 and focuses on design flaws. Greater threat modeling, reference architectures, and secure design principles are required.
A05 : 2021: ”Security Misconfigurations”
Another category that shifted and moved up from position six. It’s not surprising to see security misconfigurations rise as more people turn to highly configurable software. This category now includes the former XML External Entities (XXE) category.
A06 : 2021: ”Vulnerable & Outdated Components”
This category is formerly called “Using Components with Known Vulnerabilities.” It rose from spot number nine and is challenging to test and assess risk.
A07 : 2021: ”Identification & Authentication Failure”
This category replaced “Broken Authentication.” Although this category remains in the Top 10, the increased availability of standardized frameworks appears to help.
A08 : 2021: ”Software & Data Integrity Failure”
Another new category for 2021, software & data integrity failures, centers on assumptions about software updates, continuous integration and delivery pipelines, and critical data, without verifying integrity.
A09 : 2021: ”Security Logging & Monitoring Failure”
This category was previously called “Insufficient Logging and Monitoring.” It moved up from the tenth spot, and it now includes a broader range of failures.
A10 : 2021: ”Server-Side Request Forgeries”
This category represents the situation in which industry professionals tell us that something is essential, even if not reflected in data at the moment.
While there has been a ton of renaming and shuffling, the most significant change is making most of the risk categories broader. Looking into the methodology and details, this change focuses on root causes rather than symptoms.
The old Top 10 focused on specific vulnerabilities, and many organizations often used it as a security checklist. While this use was convenient, it gave the unwanted impression that web security was solely about identifying and removing Top 10 vulnerabilities in the final product.
The new, 2021 classifications offer a better overview of security awareness and testing and make a valiant push toward “shift left” testing.
Why the New OWASP Top 10 Changes Are Significant
The inclusion of the “Insecure Design” category asserts a clear message that thinking about security requirements early in the development process is now an OWASP best practice. Addressing and mitigating these problems necessitates far more than simply reacting to flaws and vulnerabilities after development is complete.
Secure coding best practices are just as important as testing. Even if specific issues are discovered and fixed during testing, unless the root cause is addressed through developer education and the appropriate tools and processes, many more will emerge in the future.
Finding and fixing security bugs early on is also far less expensive than doing so later. Importantly, all of this must be done systematically to be valuable and efficient in practice.
Shift Left Testing
Ultimately, the New OWASP Top 10 changes are significant since they support shifting left in development operations. OWASP also updated the methodology used to compile the Top 10. Eight of the ten categories are data-based, and the other two are on responses from industry surveys.
The “shift left” testing movement aims to bring testing closer to the beginning of the software development process. A project can reduce the number of bugs and improve the quality of the code by testing early and often. The goal is to avoid finding any critical bugs that require code patching during the deployment phase.
It’s easy for developers to undervalue the importance of testing early in the software development life cycle. Regularly testing code ensures the project’s quality and saves you time and money. It’s also equally critical to first comprehend how bugs enter the code to prevent replications of the errors.
How to Integrate the New OWASP Top 10
The Top 10 was not supposed to be a security testing checklist, and the 2021 edition emphasizes this aspect. It’s now primarily a public-awareness document that lists the top ten causes of website and application vulnerabilities. It also incorporates current trends such as shifting left and supply chain security.
While it may be less useful to security practitioners than previous editions, the new OWASP Top 10 takes a broader view of today’s security awareness needs, emphasizing that finding and fixing specific vulnerabilities is no longer enough.
Given the scale, complexity, and speed of web application development, the only way to get a handle on security is to incorporate it into every stage of software design, development, testing, and operations. These actions are what OWASP is advising us to do right now.