OWASP’s 2021 list shuffle: A new battle plan and primary foe

Published Oct 05, 2021
by Matias Madou, Ph.D.
cASE sTUDY

OWASP’s 2021 list shuffle: A new battle plan and primary foe

Published Oct 05, 2021
by Matias Madou, Ph.D.
View Resource
View Resource

In this increasingly chaotic world, there have always been a few constants that people could reliably count on: The sun will rise in the morning and set again at night, Mario will always be cooler than Sonic the Hedgehog, and injection attacks will always occupy the top spot on the Open Web Application Security Project (OWASP) list of the top ten most common and dangerous vulnerabilities that attackers are actively exploiting.

Well, the sun will rise tomorrow, and Mario still has “one-up” on Sonic, but injection attacks have fallen out of the number one spot on the infamous OWASP list, refreshed in 2021. One of the oldest forms of attacks, injection vulnerabilities have been around almost as long as computer networking. The blanket vulnerability is responsible for a wide range of attacks, including everything from traditional SQL injections to exploits launched against Object Graph Navigation Libraries (OGNL). It even includes direct assaults against servers using OS command injection techniques. The versatility of injection vulnerabilities for attackers - not to mention the number of places that could potentially be attacked - has kept this category in the top spot for many years.

But the injection king has fallen. Long live the king. 

Does that mean we’ve finally solved the injection vulnerability problem? Not a chance. It didn’t fall far from its position as security enemy number one, only down to number three on the OWASP list. It would be a mistake to underestimate the continuing dangers of injection attacks, but the fact that another vulnerability category was able to surpass it is significant, because it shows just how widespread the new OWASP top dog actually is, and why developers need to pay close attention to it moving forward.

Perhaps the most interesting thing, however, is that the OWASP Top 10 2021 reflects a significant overhaul, with brand new categories making their debut: Insecure Design, Software and Data Integrity Failures, and an entry based on community survey results: Server-Side Request Forgery. These point to an increasing focus on architectural vulnerabilities, and going beyond surface-level bugs for the benchmark in software security.

Broken access control takes the crown (and reveals a trend)

Broken access control rocketed from the fifth spot on the OWASP top ten vulnerabilities list all the way up to the current number one position. Like with injection and new entries like insecure design, the broken access vulnerability encompasses a wide range of coding flaws, which adds to its dubious popularity as they collectively allow damage on multiple fronts. The category includes any instance where access control policies can be violated so that users can act outside of their intended permissions. 

Some examples of broken access control cited by OWASP in elevating the family of vulnerabilities to the top spot include ones that enable attackers to modify a URL, internal application state, or part of an HTML page. They might also allow users to change their primary access key so that an application, site, or API believes they are someone else, like an administrator with higher privileges. It even includes vulnerabilities where attackers are not restricted from modifying metadata, letting them change things like JSON web tokens, cookies, or access control tokens.

Once exploited, this family of vulnerabilities can be used by attackers to bypass file or object authorizations, enables them to steal data, or even perform destructive administrator-level functions like deleting databases. This makes broken access control critically dangerous in addition to being increasingly common.

It’s quite compelling - yet not surprising - that authentication and access control vulnerabilities are becoming the most fertile ground for attackers to exploit. Verizon’s latest Data Breach Investigations Report reveals that access control issues are prevalent in almost every industry, especially IT and healthcare, and a whopping 85% of all breaches involved a human element. Now, “human element” covers incidents like phishing attacks, which are not an engineering problem, but 3% of breaches did involve exploitable vulnerabilities, and according to the report, were predominantly older vulnerabilities and human error-led, like security misconfiguration. 

While those decrepit security bugs like XSS and SQL injection continue to trip up developers, increasingly, it has become apparent that core security design is failing, giving way to architectural vulnerabilities that can be very advantageous to a threat actor, especially if they go unpatched after the security flaw in a particular version of an application is made public. 

The trouble is, few engineers are given training and skills development that goes beyond the basics, and fewer still are truly having their knowledge and practical application expanded beyond localized, code-level bugs that are typically developer-introduced in the first place.

Preventing the bugs that robots rarely find

The newly grouped family of broken access control vulnerabilities is fairly diverse. You can find some specific examples of broken access controls and how to stop them on our YouTube channel and our blog

However, I think it’s important to celebrate this new OWASP Top 10; indeed, it is more varied, encompassing a wider range of attack vectors that include those that scanners won’t necessarily pick up. For every code-level weakness found, more complex architectural flaws will go unnoticed by most of the security tech stack, no matter how many automated shields and weapons are in the arsenal. While the lion’s share of the OWASP Top 10 list is still compiled based on scanning data, new entries covering insecure design and data integrity failures - among others - show that training horizons for developers need to expand rapidly to achieve what robots cannot.

Put simply, security scanners don’t make great threat modelers, but a team of security-skilled developers can help the AppSec team immeasurably by growing their security IQ in-line with best practices, as well as the needs of the business. This needs to be factored into a good security program, with the understanding that while the OWASP Top 10 is an excellent baseline, the threat landscape is so fast-paced (not to mention the demands of internal development goals) that there must be a plan to go deeper and more specific with developer upskilling in security. Failure to do so will inevitably lead to missed opportunities to remediate early, and hinder a successful holistic approach to preventative, human-led cybersecurity.

We're OWASP Top 10 2021-ready, and that's just the beginning! Start your developers on an elevated security skills pathway today.

View Resource
View Resource

Author

Matias Madou, Ph.D.

Matias is a researcher and developer with more than 15 years of hands-on software security experience. He has developed solutions for companies such as Fortify Software and his own company Sensei Security. Over his career, Matias has led multiple application security research projects which have led to commercial products and boasts over 10 patents under his belt. When he is away from his desk, Matias has served as an instructor for advanced application security training courses and regularly speaks at global conferences including RSA Conference, Black Hat, DefCon, BSIMM, OWASP AppSec and BruCon.

Matias holds a Ph.D. in Computer Engineering from Ghent University, where he studied application security through program obfuscation to hide the inner workings of an application.

Want more?

Dive into onto our latest secure coding insights on the blog.

Our extensive resource library aims to empower the human approach to secure coding upskilling.

View Blog
Want more?

Get the latest research on developer-driven security

Our extensive resource library is full of helpful resources from whitepapers to webinars to get you started with developer-driven secure coding. Explore it now.

Resource Hub

OWASP’s 2021 list shuffle: A new battle plan and primary foe

Published Oct 05, 2021
By Matias Madou, Ph.D.

In this increasingly chaotic world, there have always been a few constants that people could reliably count on: The sun will rise in the morning and set again at night, Mario will always be cooler than Sonic the Hedgehog, and injection attacks will always occupy the top spot on the Open Web Application Security Project (OWASP) list of the top ten most common and dangerous vulnerabilities that attackers are actively exploiting.

Well, the sun will rise tomorrow, and Mario still has “one-up” on Sonic, but injection attacks have fallen out of the number one spot on the infamous OWASP list, refreshed in 2021. One of the oldest forms of attacks, injection vulnerabilities have been around almost as long as computer networking. The blanket vulnerability is responsible for a wide range of attacks, including everything from traditional SQL injections to exploits launched against Object Graph Navigation Libraries (OGNL). It even includes direct assaults against servers using OS command injection techniques. The versatility of injection vulnerabilities for attackers - not to mention the number of places that could potentially be attacked - has kept this category in the top spot for many years.

But the injection king has fallen. Long live the king. 

Does that mean we’ve finally solved the injection vulnerability problem? Not a chance. It didn’t fall far from its position as security enemy number one, only down to number three on the OWASP list. It would be a mistake to underestimate the continuing dangers of injection attacks, but the fact that another vulnerability category was able to surpass it is significant, because it shows just how widespread the new OWASP top dog actually is, and why developers need to pay close attention to it moving forward.

Perhaps the most interesting thing, however, is that the OWASP Top 10 2021 reflects a significant overhaul, with brand new categories making their debut: Insecure Design, Software and Data Integrity Failures, and an entry based on community survey results: Server-Side Request Forgery. These point to an increasing focus on architectural vulnerabilities, and going beyond surface-level bugs for the benchmark in software security.

Broken access control takes the crown (and reveals a trend)

Broken access control rocketed from the fifth spot on the OWASP top ten vulnerabilities list all the way up to the current number one position. Like with injection and new entries like insecure design, the broken access vulnerability encompasses a wide range of coding flaws, which adds to its dubious popularity as they collectively allow damage on multiple fronts. The category includes any instance where access control policies can be violated so that users can act outside of their intended permissions. 

Some examples of broken access control cited by OWASP in elevating the family of vulnerabilities to the top spot include ones that enable attackers to modify a URL, internal application state, or part of an HTML page. They might also allow users to change their primary access key so that an application, site, or API believes they are someone else, like an administrator with higher privileges. It even includes vulnerabilities where attackers are not restricted from modifying metadata, letting them change things like JSON web tokens, cookies, or access control tokens.

Once exploited, this family of vulnerabilities can be used by attackers to bypass file or object authorizations, enables them to steal data, or even perform destructive administrator-level functions like deleting databases. This makes broken access control critically dangerous in addition to being increasingly common.

It’s quite compelling - yet not surprising - that authentication and access control vulnerabilities are becoming the most fertile ground for attackers to exploit. Verizon’s latest Data Breach Investigations Report reveals that access control issues are prevalent in almost every industry, especially IT and healthcare, and a whopping 85% of all breaches involved a human element. Now, “human element” covers incidents like phishing attacks, which are not an engineering problem, but 3% of breaches did involve exploitable vulnerabilities, and according to the report, were predominantly older vulnerabilities and human error-led, like security misconfiguration. 

While those decrepit security bugs like XSS and SQL injection continue to trip up developers, increasingly, it has become apparent that core security design is failing, giving way to architectural vulnerabilities that can be very advantageous to a threat actor, especially if they go unpatched after the security flaw in a particular version of an application is made public. 

The trouble is, few engineers are given training and skills development that goes beyond the basics, and fewer still are truly having their knowledge and practical application expanded beyond localized, code-level bugs that are typically developer-introduced in the first place.

Preventing the bugs that robots rarely find

The newly grouped family of broken access control vulnerabilities is fairly diverse. You can find some specific examples of broken access controls and how to stop them on our YouTube channel and our blog

However, I think it’s important to celebrate this new OWASP Top 10; indeed, it is more varied, encompassing a wider range of attack vectors that include those that scanners won’t necessarily pick up. For every code-level weakness found, more complex architectural flaws will go unnoticed by most of the security tech stack, no matter how many automated shields and weapons are in the arsenal. While the lion’s share of the OWASP Top 10 list is still compiled based on scanning data, new entries covering insecure design and data integrity failures - among others - show that training horizons for developers need to expand rapidly to achieve what robots cannot.

Put simply, security scanners don’t make great threat modelers, but a team of security-skilled developers can help the AppSec team immeasurably by growing their security IQ in-line with best practices, as well as the needs of the business. This needs to be factored into a good security program, with the understanding that while the OWASP Top 10 is an excellent baseline, the threat landscape is so fast-paced (not to mention the demands of internal development goals) that there must be a plan to go deeper and more specific with developer upskilling in security. Failure to do so will inevitably lead to missed opportunities to remediate early, and hinder a successful holistic approach to preventative, human-led cybersecurity.

We're OWASP Top 10 2021-ready, and that's just the beginning! Start your developers on an elevated security skills pathway today.

We would like your permission to send you information on our products and/or related secure coding topics. We’ll always treat your personal details with the utmost care and will never sell them to other companies for marketing purposes.

To submit the form, please enable 'Analytics' cookies. Feel free to disable them again once you're done.