1. Broken Access Control
Broken access control vulnerabilities enable attackers to gain access to user accounts, admin panels, databases, servers, sensitive information, business-critical apps, etc., and let unauthorized users perform privileged functions such as modification or destruction. Broken Access Control has moved to the top of OWASP Top 10 vulnerabilities 2021 since 94% of applications were found to have this vulnerability.
- Adopt a least-privileged approach
- Build strong access controls using role-based authentication mechanisms
- Except for public resources, deny default access to functionalities
- Maintain lean servers by shutting down unnecessary services, deleting inactive and unnecessary accounts
- In case of multiple access points, disable ones that aren’t necessary
- Rate limit API and controller access
- Sensitive data must not be stored in the root
- Server directory listing must be disabled
2. Cryptographic Failures
Whether at rest or in transit, data contain sensitive information that needs extra protection. This is especially important for organizations falling under the purview of standards like PCI-DSS, GDPR, CCPA, HIPAA, etc. Some examples of cryptographic failures are storing data in plaintext, not using the latest cryptographic algorithms, improper key management, etc.
- Encrypt all data at rest using secure and robust encryption algorithms, keys, and protocols
- Encrypt all data in transit using the latest, secure protocols like TLS
- Identify and apply strong security controls on all sensitive data
- Don’t collect and store sensitive data unless absolutely necessary
- Don’t cache sensitive data or on data-collecting forms
- Disable autocomplete on forms
- Minimize the attack surface
- Store passwords using robust, adaptive, and proven hashing functions
Injection vulnerabilities allow attackers to inject malicious/ hostile/ untrusted data/ commands/ queries into the application, leading the interpreter to take actions it is not designed for. For instance, giving access to sensitive data, arbitrary code execution, etc. Some examples of injections are SQL injections, XSS, etc.
- Server-side input validation is a must
- Use safe APIs to avoid interpreters completely
- Use intrusion detection systems to spot suspicious behavior
- Use parameterized queries
- Use LIMIT and other SQL controls within queries, preventing mass disclosure of records
- Avoid special characters
4. Insecure Design
Entering the list at #4, this new entrant in the OWASP Top 10 web application vulnerabilities 2021 list focuses on the risks associated with design flaws that lead to poor security controls. It reflects the industry’s growing focus on creating secure-by-design apps.
- Integrate security right into the SDLC stages and leverage robust security practices from the early stages
- Establish a library of secure design patterns, components, frameworks, etc. that are ready and safe to use for new applications
- Use threat modelling for designing critical features like access controls, authentication, business logic, key flows, etc.
- Include security language, concerns, and controls in all user stories
- Based on exposure and protection needs, divide apps into different tiers and find use and misuse cases for each tier
- Each level of the app should include plausibility tests
5. Security Misconfiguration
Security misconfiguration, representing a lack of security hardening across the stack, moved up the OWASP Top 10 2021 since 90% of applications had this vulnerability. For example, improper permissions, enabling unnecessary features, default accounts and passwords, misconfigured HTTP headers, verbose error messages, etc.
- Harden app security using fast, easy to deploy processes
- Use preconfigured templates (with different credentials) to configure development, QA, and production identically
- Maintain a library of securely configured container images
- Remove unused features and services and deploy an application with minimal setup
- Regularly update and patch configurations
- Use automated workflows to verify secure configurations and detect misconfigurations in any environment. Remediate identified issues instantly.
6. Vulnerable and Outdated Components
This vulnerability arises from unsupported and outdated components, software, libraries, frameworks, etc. Building or using applications without the latest/ updated versions of components leaves them open to attacks.
- Maintain an updated inventory of all components used in the application with their versions
- Continuously scan components, libraries, etc. and their dependencies for vulnerabilities
- Keep all components updated. If patches aren’t immediately available, apply virtual patches
- Remove unused, legacy, and outdated components, features, and dependencies from apps
- Use components, software, etc. from official and trustworthy sources
7. Identification and Authentication Failures
Incorrect execution of functions related to user authentication and session management allows users to compromise security keys, passwords, etc. and exploit permissions, assume identities, and so on, permanently or temporarily.
- Multi-factor authentication is a must
- Don’t use default credentials, especially for admin privileges
- Implement a strong password policy
- Deploy a secure sessions manager that generated time-limited session IDs
- Monitor failed login attempts and set limits and delays on the same
- Strengthen registration, credential recovery, and other authentication-related processes
8. Software and Data Integrity Failures
Entering the OWASP Top 10 2021 at #8, this vulnerability highlights the need to verify the integrity of software updates, critical data, and CI/CD pipelines. Given the rise in supply chain attacks and their massive impact, this inclusion has been made. A8: 2017 – Insecure Deserialization vulnerability is now part of this larger category.
- Ensure the legitimacy of software/ data/ programs and its source through digital signature or similar measures
- Ensure integrity of CI/CD pipeline through strong access controls, proper configuration, and adequate segregation
- Continuously review code and configurations for modifications
- Ensure that libraries and dependencies use trusted repositories. You can host an internal, approved, and known repository if your risk profile is higher
- Unencrypted serialized data must not be delivered to untrustworthy clients, so incorporate integrity checks
9. Security Logging and Monitoring Features
This OWASP Top 10 vulnerability 2021 concerns the application’s weaknesses in detecting and responding to security risks. Given that the time taken to attack detection is 197 days on average, attackers have a long enough window to do their bidding.
- Use readily available logging and audit software that helps in instant detection of suspicious activities
- Ensure the logs are contextual and available in compatible formats for in-depth forensic analysis
- Enforce security controls that help prevent the tampering of log data
10. Server-Side Request Forgery
This vulnerability ranked #1 in the OWASP Top 10 Community Survey and was included in the 2021 list. This vulnerability allows users to access data from remote resources based on user-specified, unvalidated URLs. Even firewall/ VPN-protected servers are prone to these vulnerabilities if unvalidated user inputs are accepted.
- Enforce user-input validation and sanitization
- Remote resource access functionalities, if any, must be isolated in a separate impact
- Block unwanted incoming traffic using deny-by-default firewall policies
- Ensure clients don’t get raw responses
- Build a positive allow list for port, destination, and URL schema
- Disallow HTTP redirections