OWASP Top 10 risks get update, highlighting insecure design — injection no longer on top

OWASP Top 10

Just in time for OWASP’s 20th anniversary last week, the Open Web Application Security Project’s Top 10 list of critical security risks has received its first update since 2017.

The OWASP Top 10 were first released in 2003 and serve as a foundation for various compliance and security tools. To come up with the 2021 edition, the project called on organisations to share data about web application vulnerabilities found in various processes and asked “application security and developments experts” for additional input via a community survey. 

Common Weakness Enumerations (CWE) of the vulnerabilities identified through the data collected were then mapped to categories, and the eight categories with the highest incidence rates got included in the Top 10. Since this data is often the result of automatic tests, the remaining two positions were filled with categories survey respondents found most pressing. That way, the list’s authors want to reflect current trends which might not be covered by established testing methods yet. In a last step, the categories were examined for aspects such as exploitability and detectability and ranked accordingly.

The result is as follows:

A01:2021 — Broken Access Control 
A02:2021 — Cryptographic Failures
A03:2021 — Injection
A04:2021 — Insecure Design 
A05:2021 — Security Misconfiguration 
A06:2021 — Vulnerable and Outdated Components
A07:2021 — Identification and Authentication Failures
A08:2021 — Software and Data Integrity Failures 
A09:2021 — Security Logging and Monitoring Failures 
A10:2021 — Server-Side Request Forgery

Compared to the 2017 edition of the list, the current top 10 sports three new categories — Insecure Design, Software and Data Integrity Failures, and Server-side Request Forgery — though renamings and consolidations make this a bit tricky to see. Cryptographic Failures, for instance, are meant to cover the vulnerabilities previously sorted under Sensitive Data Exposure, but the new name focuses on the cause instead of the symptoms — a new objective the authors decided to follow.

XML External Entities and Cross-Site Scripting have meanwhile been merged into the Security Misconfiguration and Injection categories respectively. Insecure Deserialisation slipped under the umbrella of Software and Data Integrity Failures, a new category which largely focuses on “making assumptions related to software updates, critical data, and CI/CD pipelines without verifying integrity”.

Security Logging and Monitoring Failures and Server-Side Request Forgery are the two categories that made the list via the survey, although the former is more of an expansion of the Insufficient Logging and Monitoring category present in the 2017 edition of the list and SSRF seems to be more of a vulnerability than a category. However, most respondents named SSRF as a problem, which seems to be good enough for OWASP and is underlined by “above-average ratings for Exploit and Impact potential”. Also high on the practitioners’ list are Vulnerable and Outdated Components and the mentioned Logging/Monitoring Failures.

While Insecure Design might seem a little vague, the addition is meant to represent risks related to design flaws, since not considering security mechanisms when planning a project isn’t something that can be rectified by an implementation. It also highlights the need in the industry to spend time with threat modelling and studying secure design patterns, if the often-propagated “shift left” approach that looks to consider security concerns early on is supposed to be successful.

Since OWASP last released a ranking, Broken Access Control seems to have become more of a problem, letting it climb to the top of the list from its former fifth position. According to the Top 10’s authors, “the contributed data indicates that on average, 3.81 per cent of applications tested had one or more Common Weakness Enumerations with more than 318k occurrences of CWEs in this risk category”.

Cryptographic failures also came up more often, shifting the category from the third to second list place. Injection fell from first to third rank, although “94 per cent of the applications were tested for some form of injection with a max incidence rate of 19 per cent, an average incidence rate of 3.37 per cent, and the 33 CWEs mapped into this category have the second most occurrences in applications with 274k occurrences”.

Identification and Authentication Failures jumped from the second to the seventh position, which the authors attribute to “the increased availability of standardized frameworks”. Example attack scenarios and tips for prevention are available on the OWASP web site.

While many seemed happy about the addition of things like Insecure Design and the related recognition of the importance of secure design patterns and threat modelling, criticism of the new list wasn’t long in coming. It mainly highlighted a lack of focus and mixing specific vulnerabilities (SSRF) with vulnerability categories. However there also was the notion that this might be due to overall changes in web development since 2003, nudging the authors to rework the list to accommodate the current state a little better in an upcoming edition.