Development / Security

Latest OWASP Top 10 Surfaces Web Development Security Bugs

5 Oct 2021 5:30am, by

For almost 20 years, the Open Web Application Security Project (OWASP). a nonprofit foundation has been working to improve software security. In its most recent update of OWASP’s Top 10 list of the most critical web application security risks, the organization boasts a new graphic design and one-page infographic, but the contents, the actual security risks, are all too familiar.

True, there are three new categories, four categories with naming and scoping changes, and some consolidation in the 2021 Top 10 list. Even so, we’ve seen most of these before:

If you’ve been following OWASP lists for a while, you may have noticed that now the emphasis is more on strategic issues rather than specific vulnerability classifications. That means that programs, which claim they provide complete coverage of OWASP Top 10 security vulnerabilities are, shall we say, shading the truth. Yes, some security programs can still help you get a handle on your security weaknesses, but this new list is more of a call to work harder on your security in general rather than simply providing a checklist of problems to fix.

That’s because — spoiler alert! — our security problems are broader than just the security hole du jour. Yes, they show up as specific problems, but underneath them are general issues, which we have not been addressing.

For example, using old, insecure libraries and programs, such as when Equifax used out-of-date Apache Struts and leaked tens of millions of Americans’ personal data, is still much too commonplace a problem. But, if you use software security chain standards, such as the ISO Software Package Data Exchange (SPDX), to track your programs you’ll go a long way to avoiding  OWASP problems 6 and 8.

Sure, as Philippe De Ryck, Pragmatic Web Security founder, said during the OWASP Top 10 webinar “I would love to be in a world where I can just tell them [people], ‘Use this and this, and this and this and you’re done,” but. “We’re not there yet, but I’m really hoping we can get there in the future.”

I’m not so hopeful. This list is worrisome. OWASP has issued them since 2003 and while the names and specific areas covered have changed, the problems remain the same.

The solution is not inadequate security programs, it’s educating developers on how to bake fundamental security into their programs. And it’s getting companies to support programmers embedding security into their software. It’s only when security becomes a top priority job for both developers and management that we can finally start having truly safe software.

A newsletter digest of the week’s most important stories & analyses.