New OWASP Top 10 is finally here, injections still dominate
New Open Web Application Security Project 'top-ten risks' list highlights series of common failings, as well as a trio of new risks
The Open Web Application Security Project (OWASP) has revealed an updated ‘top ten’ most urgent application security issues facing organisations, a list that has stood for four years since the last update.
The infamous vulnerability ranking was last updated in 2014, and although not a formal standard has been widely adopted by security professionals and bug bounty platforms.
In spite of the four year hiatus, command injection is still the biggest threat to business applications today, followed by Broken Authentication and Data exposure.
There are three newcomers to the top ten, XML External Entities (XXE), Insecure Deserialization, and Insufficient Logging and Monitoring. The full top ten is here.
XML External Entities (XXE) has been added as a result of data from source code analysis tools, which have created a range of vulnerabilities including internal file or shares disclosure, internal port scanning, remote code execution (RCE) or denial of service (DoS).
Insecure deserialisation is also a new category, which can lead to replay attacks, injection attacks, and privilege escalation.
Finally, Insufficient logging and monitoring has made the list, as it makes it difficult for admins to detect and respond to attacks. The Project analysts pointed out in some situations it can take up to 200 days to detect a breach.
Other areas to watch for the future include architectural changes, according to the analysts, particularly in “single page applications” written with Angular or React, where functionality has been moved from the server side to the client which “brings its own security challenges”. Another new risk area is in microservices, where old code is put behind RESTful or other APIs, but was never designed to be exposed externally: “The base assumptions behind the code, such as trusted callers, are no longer valid”, the report said.
Ilia Kolochenko, CEO, High-Tech Bridge welcomed the new top 10, but also pointed out that the best practice principles of application security development are unchanged: "There are many different best practices to tackle application security at the early stage of software development. First of all, you need to ascertain that your developers are aware of the most recent secure coding techniques, and do properly apply them. Many qualified developers tend to ignore "minor" (in their perception) flaws, such as XSS or XSRF, putting the entire application at risk.”
“Others candidly believe that if they have a WAF or RASP, no code security is ever required. Therefore, regular training on new attacking techniques and exploitation vectors are very helpful to highlight the practical side of security.”
“Application security starts with secure and clear design of the application and related components. Before starting development, you need to plan how to handle security, reliability, compliance requirements (if any) and data encryption. Otherwise, any substantial corrections at later stages can easily get extremely expensive.”
“Don't forget to implement continuous security monitoring and testing once the application is deployed to production: what is secure today - can easily become vulnerable tomorrow”, he summarised.