For almost 20 years, the Open Web Application Security Project (OWASP). a nonprofit foundation has been working to improve software security. In its most recent update of OWASP’s Top 10 list of the most critical web application security risks, the organization boasts a new graphic design and one-page infographic, but the contents, the actual security risks, are all too familiar.
True, there are three new categories, four categories with naming and scoping changes, and some consolidation in the 2021 Top 10 list. Even so, we’ve seen most of these before:
- A01:2021-Broken Access Control 94% of applications were tested for some form of broken access control. The 34 Common Weakness Enumerations (CWEs) mapped to Broken Access Control had more occurrences in applications than any other category.
- A02:2021-Cryptographic Failures, previously known as Sensitive Data Exposure, this is more of a broad symptom rather than a root cause. These are cryptographic failures that lead to sensitive data exposure or system compromise.
- A03:2021-Injection 94% of the applications were tested for some form of injection, and the 33 CWEs mapped into this category have the second most occurrences in applications. This includes Cross-site Scripting.
- A04:2021-Insecure Design is a new category. Here the emphasis is on security flaws that start with fundamental design problems. It can be combated if web designers used threat modeling, secure design patterns and principles, and reference architectures.
- A05:2021-Security Misconfiguration As we use more and more highly configurable software, it’s no surprise to see this showing up more often. Do you know how to secure your Kubernetes cluster? The former category for XML External Entities (XXE) is now part of this category.
- A06:2021-Vulnerable and Outdated Components was previously titled Using Components with Known Vulnerabilities. This one has been making headlines as busted components in software supply chains
- A07:2021-Identification and Authentication Failures was previously Broken Authentication. It now includes Common Weakness Enumerations (CWE)s that involve identification failures.
- A08:2021-Software and Data Integrity Failures is a new category, which focuses on making bad security assumptions about software updates, critical data, and CI/CD pipelines. This is another variation on software supply chain blunders.
- A09:2021-Security Logging and Monitoring Failures: The name says it all.
- A10:2021-Server-Side Request Forgery While there are relatively few such attacks, community members are worried about this attack vector.
If you’ve been following OWASP lists for a while, you may have noticed that now the emphasis is more on strategic issues rather than specific vulnerability classifications. That means that programs, which claim they provide complete coverage of OWASP Top 10 security vulnerabilities are, shall we say, shading the truth. Yes, some security programs can still help you get a handle on your security weaknesses, but this new list is more of a call to work harder on your security in general rather than simply providing a checklist of problems to fix.
That’s because — spoiler alert! — our security problems are broader than just the security hole du jour. Yes, they show up as specific problems, but underneath them are general issues, which we have not been addressing.
For example, using old, insecure libraries and programs, such as when Equifax used out-of-date Apache Struts and leaked tens of millions of Americans’ personal data, is still much too commonplace a problem. But, if you use software security chain standards, such as the ISO Software Package Data Exchange (SPDX), to track your programs you’ll go a long way to avoiding OWASP problems 6 and 8.
Sure, as Philippe De Ryck, Pragmatic Web Security founder, said during the OWASP Top 10 webinar “I would love to be in a world where I can just tell them [people], ‘Use this and this, and this and this and you’re done,” but. “We’re not there yet, but I’m really hoping we can get there in the future.”
I’m not so hopeful. This list is worrisome. OWASP has issued them since 2003 and while the names and specific areas covered have changed, the problems remain the same.
The solution is not inadequate security programs, it’s educating developers on how to bake fundamental security into their programs. And it’s getting companies to support programmers embedding security into their software. It’s only when security becomes a top priority job for both developers and management that we can finally start having truly safe software.