What is OWASP and what is the Owasp Top 10?
The Open Web Application Security Project, or OWASP, is an international non-profit organization that documents the most pertinent web application security best practices and resources, to improve the security of software worldwide. They make their materials publicly available and accessible so that organizations and developers can improve their own web security.
The OWASP Top 10 is one such document that ranks the top 10 most serious security concerns in a report, including the attack vectors, weaknesses and prevention techniques.
Why is the OWASP Top 10 Important?
The OWASP Top 10 report is put together by a group of security experts from all over the world. This report has been published since 2003 and is updated every 2-3 years to provide an actionable checklist for companies to incorporate into their application security processes.
This checklist is important for organizations, big and small, especially considering the explosion in the volume of cyber attacks carried out recently and their enormity. Just take the case of the hack of the Colonial Pipeline in the US in April this year. The attack was carried out by entry into the networks of the organization through a virtual private network, which allowed employees to remotely access the company’s computer network. The known cause of the breach of the VPN was found to be the lack of a multi-factor authentication, which allowed the hackers to simply get through using a compromised username and password, which may have been obtained in a batch of leaked passwords on the dark web.
What Influence Does the OWASP Ten Hold?
The OWASP Ten is perhaps the most influential set of guidelines for companies to start minimizing the security risks for their web applications. The OWASP Top 10 checklist can act as essentially a starting guide to changing software development lifecycles in your organization, with the aim of producing more secure code.
It’s influence lies in the specificity and actionability of the information it provides. Adopted as a gold standard by leading organizations in the world, it is often viewed by auditors as a must-have when they evaluate compliance standards.
Mitigation and Prevention for OWASP Top 10 Web application Security Risks
The OWASP Top 10 risks as outlined in the 2021 report includes:
1. Broken Access Control
Moving up from its fifth position in the 2017 report is the category of Broken Access Control, suggesting it to be the most serious web application security risk. This mode of attack happens when restrictions on authenticated users’ actions are not properly enforced, allowing attackers to bypass authorizations and execute tasks as if they were admins, like viewing or modifying other users’ accounts and privileges.
How to mitigate: To secure broken access controls, ensure that the applications use authorization tokens and set tight controls on them. Enforce every logged in user to have the authorization token present when they make a privileged request. Additionally, conduct thorough penetration testing to make sure that there are no unintended access controls.
2. Cryptographic Failure
This category was titled “Sensitive Data Exposure” and ranked #3 in the 2017 OWASP Top 10 report. It has been renamed “Cryptographic Failures” to emphasize the root cause of the threats, which arise due to failure of applications to protect the most sensitive data such as financial, healthcare and other PII data. The failure can be in the form of data being transmitted in clear text, weak cyptographic algorithms, encryption not being enforced and other errors in the cryptography processes used. These become easy targets for attackers, who may use these to conduct credit card fraud, identity theft or. One common technique used is a man-in-the-middle or on-path attack, where attackers steal data “in transit”, by placing themselves in between victims and the services they are trying to reach.
How to mitigate: Start by categorizing data stored into levels of sensitivity. As much as possible avoid storing sensitive data, and encrypt all such data if they have to be stored. The exposure risk can also be minimized by disabling the caching of such sensitive data.
Sliding down from the top position in the previous OWASP edition to #3 is Injection, which are threats where an attacker sends hostile data to a code interpreter to trick it and execute undesirable commands or access unauthorized data. These attacks usually happen with legacy code and are carried out through a form input or some other data submission to a web application. For example, if you have a form that takes plaintext input, an attacker could inject an SQL database code to execute via the form, in what is known as an SQL injection attack.
How to mitigate: Injection attacks can be prevented by taking all precautions to validating and keeping data separate from commands and queries. This involves rejecting suspicious-looking data and cleaning up any problematic parts of the data. Ideally, you should use a safe API which could avoid the use of the interpreter entirely. Database admins can also set appropriate controls to minimize the amount of information an injection attack can expose.
4. Insecure Design
This is a new category included in the 2021 OWASP Top 10 and concerns flaws related to design and architecture. It is a broad category comprising different weaknesses, which cause insecure design, generally due to a lack of security controls to defend against specific attacks and a lack of business risk profiling during software development. For example, if an e-commerce website does not have protection against bots attempting to buy a highly sought after item in bulk, they could lose a large volume of sales and suffer reputation damage with the brand and potential customers who may have been interested in that item.
How to mitigate: The way to address insecure design is by following a secure development lifecycle with clear evaluation and design of security and privacy-related controls. The development should involve usage of library of secure design patterns and adopt threat modeling for critical authentication, access control, business logic and key flows.
5. Security Misconfiguration
One of the most common issues that lead to attacks is improper configuration of security settings. The common causes are default configurations that are insecure across any part of the application stack, unnecessary features like ports, service pages or accounts, unpatched flaws and detailed error messages that reveal confidential information. These lapses give attackers unauthorized access to critical data and could lead to complete compromise of the system.
How to mitigate: Ensure that all operating systems, libraries and applications are securely configured and updated on a regular basis without fault. Different environments such as development, QA and production should also have different credentials. If needed, adopt techniques that can automate this function. Clean up the code to remove unused features and keep error messages as general as possible.
6. Vulnerable and Outdated components
Titled “Using Components with Known Vulnerabilities” in the previous edition, this category has moved up from #9 to #7. These attacks arise when developers are unsure of the components (libraries, frameworks and other modules) they use while building applications. These components themselves can often contain vulnerabilities which can be exploited by attackers, resulting in data loss or server compromise.
How to mitigate: The developers of the external components do provide security patches and updates for known vulnerabilities but developers don’t always have these updates running on their applications. To prevent attacks through these components, developers should remove unused dependencies, monitor the source for updates and ensure they have the latest versions at hand.
7. Identification and Authentication Failures
This category was known as Broken Authentication when it was ranked second in the previous edition. It now includes Common Weakness Enumerations (CWEs) related to identification failures. Some examples of CWEs are CWE-297: Improper Validation of Certificate with Host Mismatch, CWE-287: Improper Authentication, and CWE-384: Session Fixation. These attacks are commonly targeted at applications that possess weaknesses in authentication and session management. Attackers target these applications to compromise passwords, keys, session tokens and more. Once such security measures are breached, they can assume or steal users’ identities. One simple technique used by attackers is credential stuffing, where they deploy a script that tries all combinations of known usernames or passwords obtained from a large-scale data breach.
How to mitigate: As a basic minimum, two-factor authentication (2FA) or multi-factor authentication must be implemented. There should also be a conscious effort to avoid weak passwords and to change them on a regular basis. Delaying repeated login attempts using rate limiting is also another recommended best practice.
8. Software and Data Integrity Failures
This is a new category of threats that has been added to OWASP Top 10, focusing on assumptions related to software updates, critical data, and continuous integration and delivery (CI/CD) pipelines without verifying integrity. For example, when an application depends upon plugins, libraries, content delivery networks (CDNs) or other modules, an insecure CI/CD pipeline can lead to unauthorized access or malicious code. Applications which have auto-update functionality or where data is stored using serialization or deserialization are also in danger.
How to mitigate: It is possible to monitor these types of attacks and implement checks such as digital signatures on serialized objects, isolating code that deserializes in privileged environments, the only surefire way is to prevent acceptance of data, whether it be for libraries or repositories, from untrusted sources.
9. Security Logging and Monitoring Failures
Previously titled Insufficient Logging & Monitoring, this category moved up from its #10 position in the previous edition, while expanding to include more types of failures. The threats in this category are a result of delays in the detection of breaches. Many studies show that it takes around 200 days for a breach to be detected. This delay gives attackers more than enough time to compromise systems, hide and persist or tamper with sensitive data.
How to mitigate: Ensure that all login, access control failures and server-side input failures are logged and monitored. The logs should be generated in a format that log management solutions can consume and should be encoded to prevent attacks on the log monitoring systems themselves. To control tampering of data, especially in high-value transactions, an audit trail with integrity controls can also be implemented.
10. Server-Side Request Forgery (SSRF)
This category of threats is a new addition to the OWASP Top 10 from the previous edition. SSRF flaws are those which occur when applications fail to validate a user-given URL when retrieving a remote resource. This is a common mode of attack due to modern web applications striving to provide end-users with convenient features and because of the rise of cloud services and complex architectures. The attacker is able to force the application to send a crafted request to an unexpected destination.
How to mitigate: SSRF attacks can be defended against from the network layer by segmenting remote resource access functionalities and enforcing “Deny by default” firewall policies. From the application layer, these attacks can be thwarted by validating all client-supplied input data, disabling HTTP redirections and preventing raw responses from being sent to clients.
Introducing Application Shield(WAF) and Free trial invitation
CDNetworks provides an Application Shield, a cloud-based Web Application Firewall (WAF) that helps organizations protect web applications against vulnerabilities and attacks. It is integrated with our global content delivery network (CDN), is always-on and inline, enabling you to protect web assets all the time. The Application Shield protects against the OWASP Top 10 threats, including injection, XSS and others and allows for automated creation of rules and virtual patches for common application vulnerabilities. It also possesses many other features specific to mitigating and thwarting the OWASP Top 10 attacks such as access control, rate limitation. In addition, free DDoS mitigation is included with Application Shield.
Explore how CDNetworks Application Shield can improve your security with a free trial.