The Top 10 list is a widely used guide to today's web
application security threats. The Open Source Web Application Security Project
(OWASP) has released a draft of its Top 10 Threats of 2021 list showing the
change in the way current threats are classified. techsmartinfo
The draft report, available online
(https://owasp.org/Top10/), contains important changes to the way the nonprofit
categorizes current threats from web applications, as the list is not has
updated since 2017.
OWASP updated the methodology used to create the Top 10.
Eight of the 10 categories are data driven and two were selected based on
industry survey responses.
When an organization analyzes threat information provided by
cybersecurity companies, there are certain data factors that are used to create
a top 10 list. These include software and hardware comparisons based on Common
Weaknesses Enumeration (CWE), the percentage of applications that are
vulnerable to a specific CWE. and its impact on organizations. hollyhealthfitness
OWASP also takes into account the exploit weight and average
vulnerability scores based on CVSSv2 and CVSSv3 (Common Vulnerability Scoring
System) scores, as well as the total number of assigned CWE applications in the
category, as well as the total number of Common Vulnerability Scoring System.
Vulnerabilities and vulnerabilities (CVE) related to a specific type of threat.
Three new categories were included: insecure design,
software and data integrity bugs, and server-side request spoofing (SSRF)
attack group.
The 2017 XML External Objects (XXE) category becomes part of
the 2021 Invalid Security Settings category. On the other hand,
"Cross-Site Scripting (XSS)" was added to the "Embedding"
section and " Insecure Deserialization "is now part of" Software
and Data Integrity Failures ".
OWASP scrolls left
The inclusion of "Insecure Design" and
"Software and Data Integrity Errors" shows how the software industry
continues to shift to the left (Shift Left), with more emphasis on secure
architecture and design and threat modeling . healthbeautystudio
“Secure threat modeling and design is often overlooked due
to the speed of current development. It is also important to finally see OWASP
highlighting software development security and CI / CD process integration as
another area to consider, ”said Tom Aston, director of application security
practice at Bishop Fox.
OWASP Top 10: Complete List
1.A01: 2021 - Access control violation: 34 CWE. Access
control vulnerabilities include privilege escalation, malicious URL change,
access control bypass, CORS misconfiguration, and primary key spoofing.
2.A02: 2021-Cryptographic failures: 29 CWE. This includes
security flaws when data is in transit or at rest, such as the implementation
of weak cryptographic algorithms, poor or unreliable key generation, inability
to implement encryption or certificate verification, and the transmission of
data in clear text. . techiescity
3.A03: 2021 - download: 33 CWE. Common injections affect
SQL, NoSQL, operating system commands, and LDAP and can be caused by cleanup
errors, XSS vulnerabilities, and lack of file path protection.
4. A04: 2021 - Unsafe design: 40 CWE. Unsafe design elements
vary widely, but OWASP generally describes them as "missing or ineffective
controls." Issues of concern include lack of protection for stored data,
logic programming issues, and content display that would reveal sensitive
information.
5. A05: 2021-Invalid Security Configuration: 20 CWE.
Applications can be considered vulnerable if they lack a security hardening, if
there are unnecessary functions, for example, opening one hand too far when it
comes to privileges, if the default accounts remain active, and if the security
functions are not configured correctly.
6. A06: 2021-Vulnerable and obsolete components: three CWEs.
This category covers client and server components, component failures, legacy
support systems such as OS, web servers or libraries, and component
misconfiguration. techgeeksblogger
7. A07: 2021-Identification and authentication errors: 22
CWE. Security issues include bad authentication, session pinning, certificate
mismatch, credential resolution healthnutritionhints
