OWASP (Open Web Application Security Project) is a non-profit organization founded in 2001. The primary objective of OWASP is to produce methodologies, tools, documentation, articles, and technologies, free of the cost to secure web application software.
OWASP guidelines emphasize top vulnerabilities cybercriminals are targeting, causes of the security flaw, and preventions methods. OWASP is run by the collection of thousands of members which makes a community, and they collectively research threats to software and web applications and suggest their fixes to improve the security of software systems.
OWASP actively organizes leading education and training conferences around to globe to spread and share knowledge for the cyber professionals and the companies to secure their assets.
The most known project from OWASP is ‘’Project Spotlight: OWASP top 10’’. This is an awareness document OWASP releases from time to time that mentions the top 10 security risks in the web application, causes of those security risk and guidelines about how to mitigate them. OWASP members conduct research and gather vulnerability statistical data around the globe to point out the top 10. They also mention their fixes and actions to take in respect to defending against these vulnerabilities.
OWASP 2021 Top 10 Security Risks
OWASP is maintaining its legacy to release its ‘’Awareness Document’’ named as TOP 10. They first published it in the year 2003 and since then they have published seven awareness documents within almost two decades. The latest awareness document has been published in the year 2021. This document is put together by a team of security professionals around the globe. OWASP suggests all companies to assimilate this document to improve their cyber security. Below are the top ten web application security risks by OWASP 2021 top 10.
-
Broken Access Control
When you have misconfigured access control at your network perimeters, it can be misused by an attacker to gain access to your system. Apply Zero Trust Network and implement an access control mechanism.
-
Cryptographic Failure
Cryptographic failure occurs when there are bugs in cryptographic libraries, misconfigurations, cryptanalysis, weak algorithms, and more. Even Veracode (An application security company) has included cryptographic failures in their volume 11 report, as one of the top 10 security risks.
-
Injection
This includes the injection of malicious code from the client-side application. The most common examples of injection are SQL and XSS injections.
-
Insecure Design
If you have flaws in your security design, it does not matter how perfect you have done security implementation, you will still be exposed to risk. Threat modeling and secure design principles can eliminate this risk.
-
Vulnerable and Outdated Component
When you do not upgrade, update, and apply patches to your components regularly then you are exposed to this security risk. It does not matter whether you use components on the server-side or client-side. Regular updates and patches must be adopted as the general practice of cyber security.
-
Security Misconfiguration
Most of the applications tested by OWASP contained any form of security misconfiguration. This is also the most found vulnerability during penetration testing. Testing after implementation can verify the security configuration.
-
Identification and Authentication Failures
Web application or any software is most exposed to this security risk when it has no password policies set, permits brute force or any other automated attack, has no MFA (multifactor authentication) or the absence of other authentication security processes.
-
Software and Data Integrity Failures
It relates to the code and infrastructure that does not prevent integrity violation. A common example is when an application relies on modules, libraries, and plugins from a source that is not trustworthy.
-
Security Logging and Monitoring Failures
Most of the attacks remain unnoticed for several days and in some cases, they remain undetected for several months. This happens due to poor use of event logging mechanisms and continuous monitoring failure which keeps the malicious activity out of the sight.
-
Server-Side Request Forgery
Also known as SSRF, is an attack that permits the attacker to send malicious requests to another system via the vulnerable web server. In simple words, ‘’Shoot one's gun from someone else's shoulder’’. Attackers can use this attack to even run a port scan and bypass the security system to access another side network.
Comparison between OWASP Top 10 2017 and 2021:
There are some changes between the 2017 and 2021 awareness documents. Some categories are new in the latest release while some are merged with the change of name. Table 1 will compare both documents thoroughly.
#
|
Name
|
Year 2021
|
Year 2021
|
Change in Position in 2021
|
Previous Name in 2017
|
1
|
Broken Access Control
|
Yes
|
Yes
|
Moves up from #5 to #1
|
No Change
|
2
|
Cryptographic Failures
|
Yes
|
Yes
|
Moves up from #3 to #2
|
Sensitive Data Exposure
|
3
|
Injection
|
Yes
|
Yes
|
Moves down from #1 to #3
|
No Change
|
4
|
Insecure Design
|
Yes
|
No
|
N/A
|
N/A
|
5
|
Security Misconfiguration
|
Yes
|
Yes
|
Moves up from #5 to#5
|
No Change
|
6
|
Vulnerable and Outdated Components
|
Yes
|
Yes
|
Moves up from #9 to #6
|
Using Components with known vulnerabilities
|
7
|
Identification and Authentication Failures
|
Yes
|
Yes
|
Moves down from #2 to #7
|
Broken Authentication
|
8
|
Software and Data Integrity Failures
|
Yes
|
No
|
N/A
|
N/A
|
9
|
Security Logging and Monitoring Failures
|
Yes
|
Yes
|
Moves up from #10 to #9
|
Insufficient logging and monitoring
|
10
|
Server-Side Request Forgery
|
Yes
|
No
|
N/A
|
N/A
|
Why OWASP is important for SMBs
Cyber security is raising concerns for SMBs. Large companies have deep pockets so they can cope with cyber threats by implementing high-tech security infrastructure. While on the other side, SMBs have limited budgets to spend on cyber security and we believe in this situation OWASP awareness document is a gold mine as it is free of cost. SMBs must use it for the following reasons:
-
Security Risks
OWASP has mentioned the top security risks of the present time. SMBs can scan their software, network, or web application to find those security gaps and mitigate them as soon as possible.
-
Causes
OWASP has also listed the reasons which are responsible for the security risk to existing. You can simply eliminate those causes to make your assets secure.
-
Prevention
Methods to prevent from mentioned security flaws are also defined. SMBs must follow those methods to make themselves protected from cyber-attacks.
Any organization, despite the fact its a small, medium, or large enterprise, must secure its assets from leakage and unauthorized access. By using OWASP guidelines, SMB’s can achieve more robust security to protect their assets.
Conclusion
Following the OWASP guidelines and integrating it into an organization's cyber security strategy can help SMBs tighten their cyber defence and make their assets secure. Being unaware of what is wrong is worse than being wrong. OWASP can help you in pointing out what is wrong, what are the reasons, and how you can make it correct, and it is free of cost. Finally, always, prevention is better than cure.