Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

OWASP Top 10 Updated With Three New Categories

On its 20th anniversary, the Open Web Application Security Project (OWASP) released the final version of their revised Top 10 list of the most critical risks to web applications, which includes three new categories, as well as position shifts compared to the previous report, released in 2017.

On its 20th anniversary, the Open Web Application Security Project (OWASP) released the final version of their revised Top 10 list of the most critical risks to web applications, which includes three new categories, as well as position shifts compared to the previous report, released in 2017.

In OWASP Top 10 2021, Broken Access Control has taken the lead as the category with the most serious web application security risks. The category was fifth in the previous version.

There are 34 Common Weakness Enumerations (CWEs) mapped to Broken Access Control, and they had the highest number of occurrences (at roughly 318,000) compared to any other category.

Second in line comes Cryptographic Failures (previously Sensitive Data Exposure), which often results in the exposure of sensitive data or in system compromise. Injection, which now includes Cross-Site Scripting, drops one position to the third place, with its 33 mapped CWEs having roughly 274,000 occurrences.

Focused on risks related to design flaws, Insecure Design is a new category in the Top 10 list this year, but made it all the way up to the fourth position. Security Misconfiguration, which now includes XML External Entities (XXE) bugs, landed on the fifth position, with more than 208,000 occurrences of the CWEs mapped to it.

Sixth on the list is Vulnerable and Outdated Components (previously titled Using Components with Known Vulnerabilities), followed by Identification and Authentication Failures (previously Broken Authentication) on the seventh position, and Software and Data Integrity Failures (also includes Insecure Deserialization) on the eighth.

The Software and Data Integrity Failures category is related to lack of integrity verification in software updates, critical data, and continuous integration/continuous delivery (CI/CD) pipelines.

Ninth on the list is Security Logging and Monitoring Failures (previously Insufficient Logging & Monitoring), with Server-Side Request Forgery (SSRF) emerging as a new category on the tenth position — the risks associated with SSRF are seen as important by the security community, yet data doesn’t show that, OWASP notes.

Advertisement. Scroll to continue reading.


OWASP Top 10 2021

A major shift from the previous OWASP Top 10 is the focus on the prevalence of CWEs within applications. Rather than focusing on only 30 CWEs, the report is now based on the analysis of almost 400 CWEs, which also resulted in changes to how categories are structured. The OWASP team also focused on root cause types of CWEs, rather than symptoms.

Furthermore, the team mainly took into consideration average exploit and impact scores when compiling the 2021 list, leaving likelihood (Detectability) aside.

“We grouped all the CVEs with CVSS scores by CWE and weighted both exploit and impact scored by the percentage of the population that had CVSSv3 + the remaining population of CVSSv2 scores to get an overall average. We mapped these averages to the CWEs in the dataset to use as Exploit and (Technical) Impact scoring for the other half of the risk equation,” OWASP explains.

For this installment of the OWASP Top 10 list, only eight of the categories were selected from the statistical data, while the remaining two were introduced based on results from the Top 10 community survey.

Related: OWASP Proposes New Vulnerabilities for 2017 Top 10

Related: Cybersecurity Seen as Rising Risk for Airlines After 9/11

Related: Bridging the Cybersecurity Skills Gap as Cyber Risk Increases

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.