Open Web Application Security Project (OWASP):
Sivajothi(???????) DHARMALINGAM(???????????)
SAST | SCA | Application Security Testing | DevSecOps Engineer | Secure Coding at HCLTech
The Open Web Application Security Project, or OWASP, is an international non-profit organization dedicated to?web application security. One of OWASP’s core principles is that all their materials be freely available and easily accessible on their website, making it possible for anyone to improve their own web application security. The materials they offer include documentation, tools, videos, and forums. Perhaps their best-known project is the OWASP Top 10.
The OWASP has maintained its Top 10 list since 2003, updating it every two or three years in accordance with advancements and changes in the AppSec market. The list’s importance lies in the actionable information it provides in serving as a checklist and internal web application development standard for many of the world’s largest organizations.
OWASP Top 10:
The OWASP Top 10 is a regularly updated report outlining security concerns for web application security, focusing on the 10 most critical risks. The report is put together by a team of security experts from all over the world. OWASP refers to the Top 10 as an ‘awareness document’ and they recommend that all companies incorporate the report into their processes to minimize and/or mitigate security risks.
?OWASP Top 10 vulnerabilities in 2021 list:
1.Broken Access Control
The attacker in this context can function as a user or as an administrator in the system.
Example:?An application allows a primary key to be changed, and when this key is changed to another user’s record, that user’s account can be viewed or modified.
2. Cryptographic Failures
Cryptographic failures occur when important stored or transmitted data (such as a social security number) is compromised.
Example:?A financial institution fails to adequately protect its sensitive data and becomes an easy target for credit card fraud and identity theft.
3. Injection
a code injection occurs when invalid data is sent by an attacker into a web application in order to make the application do something it was not designed to do.
Example:?An application uses untrusted data when constructing a vulnerable SQL call.
4. Insecure Design
This focuses on risks related to design flaws. As organizations continue to “shift left,†threat modeling, secure design patterns and principles, and reference architectures are not enough.
Example:?A movie theater chain that allows group booking discounts requires a deposit for groups of more than 15 people. Attackers threat model this flow to see if they can book hundreds of seats across various theaters in the chain, thereby causing thousands of dollars in lost income.
领英推è
5. Security Misconfiguration
Security misconfigurations are design or configuration weaknesses that result from a configuration error or shortcoming.
Example:?A default account and its original password are still enabled, making the system vulnerable to exploit.
6. Vulnerable and Outdated Components
Components with known vulnerabilities, such as CVEs, should be identified and patched, whereas stale or malicious components should be evaluated for viability and the risk they may introduce.
Example:?Due to the volume of components used in development, a development team might not know or understand all the components used in their application, and some of those components might be out-of-date and therefore vulnerable to attack.
7. Identification and Authentication Failures
Functions related to authentication and session management, when implemented incorrectly, allow attackers to compromise passwords, keywords, and sessions, which can lead to stolen user identity and more.
Example:?A web application allows the use of weak or easy-to-guess passwords (i.e., “password1â€).
8. Software and Data Integrity Failures
This focuses on software updates, critical data, and CI/CD pipelines used without verifying integrity. Also now included in this entry, insecure deserialization is a deserialization flaw that allows an attacker to remotely execute code in the system.
Example:?An application deserializes attacker-supplied hostile objects, opening itself to vulnerability.
9. Security Logging and Monitoring Failures
Logging and monitoring are activities that should be performed on a website frequently—failure to do so leaves a site vulnerable to more severe compromising activities.
Example:?Events that can be audited, like logins, failed logins, and other important activities, are not logged, leading to a vulnerable application.
10. Server-Side Request Forgery
server-side request forgery (SSRF) can happen when a web application fetches a remote resource without validating the user-supplied URL. This allows an attacker to make the application send a crafted request to an unexpected destination, even when the system is protected by a firewall, VPN, or additional network access control list. The severity and incidence of SSRF attacks are increasing due to cloud services and the increased complexity of architectures.
Example:?If a network architecture is unsegmented, attackers can use connection results or elapsed time to connect or reject SSRF payload connections to map out internal networks and determine if ports are open or closed on internal servers.