OWASP toasts 20th anniversary with revised Top 10 for 2021
Non-profit confirms latest iteration of web attack hit list during 24-hour live event
OWASP celebrated its 20th anniversary last week with a 24-hour webinar that saw the organization officially launch the top 10 web security vulnerabilities for 2021.
During a session on Friday afternoon, Andrew van der Stock, executive director at OWASP, presented the revised top 10 to event attendees.
As previously reported by The Daily Swig, this year’s top 10 contains important changes to how the non-profit categorizes today’s web app threats, which have not been refreshed since 2017.
Addressing these changes, van der Stock told the audience that while injection attacks were once thought to be the number one web security risk, this attack has been downgraded to number three.
In its place is ‘broken access control’, which has moved up from the fifth position to the number-one threat to web app security.
The ‘cryptographic failures’ category has shifted up one position to number two. This risk previously known as ‘sensitive data exposure’ but has been changed by OWASP after it determined the term described a “broad symptom rather than a root cause”.
OWASP wrote: “The renewed name focuses on failures related to cryptography as it has been implicitly before. This category often leads to sensitive data exposure or system compromise.”
Cross-site scripting (XSS) has been bundled into the now third-place ‘injection attacks’ category.
The OWASP Top 10 vulnerabilities in 2021:
- Broken access control
- Cryptographic failures
- Insecure design
- Security misconfiguration
- Vulnerable and outdated components
- Identification and authentication failures
- Software and data integrity failures
- Security logging and monitoring failures
- Server-side request forgery
Aside from the category shake-up, there have been major updates to how the OWASP Top 10 project is displayed to users.
Firstly, the list will be available in a mobile-friendly version and a PDF poster will be released, which van der Stock told the conference will make it more accessible.
“We want to make sure its consumable in the way it hasn’t been in the past,” he explained.
The Top 10 logo has also been updated with a fresher, more modern design.
Discussing the release, Ollie Whitehouse, chief technical officer at NCC Group, told The Daily Swig: “It’s good to see OWASP is evolving the Top 10. In a world where we continue to learn about threat and vulnerability against a backdrop of rampant innovation, this natural evolution is going to be a constant.
“Some may raise an eyebrow at some of the OWASP descriptions. For example, the description of SSRF (number 10) – considering it was this class of issue that gave us the [Microsoft] Exchange vulnerabilities earlier in the year, one may argue that the industry is indicating incidence rates are not as low as OWASP believes they are.”
Whitehouse added: “Another example is Software and Data Integrity Failures (number eight) – this is quite a large bucket covering everything from deserialization through to software updates and potentially CI/CD pipelines.
“One might expect this to be one of the quicker growing buckets over the next year as a result.”
Addressing the issues
Elsewhere during the online conference, Philippe De Ryck delivered a talk that asked: is AppSec too hard?
Speaking to delegates, De Ryck, founder of Pragmatic Web Security, discussed whether the ever-expanding checklist of best security practices is, in fact, making it harder for individuals to keep themselves safe online.
“I would love to be in a world where I can just tell them [people], ‘Use this and this, and this and this and you’re done’,” he said. “We’re not there yet, but I’m really hoping we can get there in the future.”
Delivering the closing remarks, the Electronic Frontier Foundation’s Eva Galperin asked: who deserves cybersecurity?
Galperin, director of cybersecurity at the foundation, argued that security should be available and accessible to all people regardless of income or position, and that there needs to be less of a focus on making tools for money.
“Cybersecurity is often focused on protecting people and organizations with money,” she told conference attendees.
“For the same reason why Jesse James robbed banks – it’s where the money is.”