The sheer amount of app and web vulnerabilities—well, it’s utterly astounding and overwhelming. To help dev teams determine priorities, OWASP puts together a list that is updated regularly. The goal is to help narrow down your focus, allowing you to prioritize what fire to put out first.
There hasn’t been a fresh vulnerability list since 2017. The latest top 10 list put together in 2021 doesn’t look profoundly different from five years ago. The only changes made are the order of the threat, or a new name/category combination. In this article, we will look at OWASPs top 10, what they are, and what courses HackEDU offers to help your dev team learn to combat these threats.
How Categories Are Selected
OWASP collects data from applicants, looks at incidence rates, and ranks them in order of threat. Results are basically ranked through automation and discussion. Technically, there are much more than ten vulnerability trends but oftentimes the data isn’t complete or consistent.
There are three sets of data used:
- Human-assisted Tooling (HaT)
- Tool-assisted Human (TaH)
- Raw tooling
The factors considered for each of the top 10 are:
- How many Common Weakness Enumerations (CWEs) are mapped to a category
- The incidence rate/percentage of vulnerable apps tested
- The percentage of applications tested
- Weighted exploit on a ten point scale
- Weighted impact on a ten point scale
- How many apps that have CWEs mapped to the category
- Total CVEs in the NVD DB mapped to the CWEs map in each category
OWASP Top 10 For 2021
The following are OWASPs top 10 for 2021—listed in alphabetical order. There are some new categories, and a few names have been changed. Many of the issues from 2017 remain the same.
Broken Access Control
- 94% of all the applications tests had some type of broken access control. The 34 CWEs mapped to Broken Access Control had more occurrences in applications than any other category.
- Cryptographic Failures (previously called Sensitive Data Exposure) is a broad symptom, not a root cause. Failures related to cryptography can lead to the exposure of sensitive data, or it can compromise the entire system.
Identification and Authentication Failures
- Once titled Broken Authentication, this now includes CWEs that are more related to identification failures. The increased availability of standardized frameworks seems to be helping.
- Cross-site scripting now falls into the injection category. 94% of the applications were tested for some form of injection, and the 33 CWEs mapped into this category have the second most occurrences in applications.
- This is a new category for 2021. Insecure Design focuses on risks related to design flaws. If we genuinely want to "shift left" as an industry, it calls for more use of threat modeling, secure design patterns and principles, and reference architectures.
Security Logging and Monitoring Failures
- This category is expanded to include more types of failures, is challenging to test for, and isn't well represented in the CVE/CVSS data. Failures in this category can directly impact visibility, incident alerting, and forensics.
- 90% of applications were tested for some form of misconfiguration. The former category for XML External Entities (XXE) is now part of this category.
Server-Side Request Forgery (SSRF)
- The data shows a relatively low incidence rate with above average testing coverage, along with above-average ratings for Exploit and Impact potential. This category represents the scenario where the industry professionals are telling us this is important, even though it's not illustrated in the data at this time. The 2019 Capital One breach is a prime example of an SSRF vulnerability and is probably the primary reason it’s on the radar of security professionals.
Software and Data Integrity Failures
- A new category for 2021, Software and Data Integrity Failures focuses on assumptions related to software updates, critical data, and CI/CD pipelines without verifying integrity. One of the highest weighted impacts from CVE/CVSS data mapped to the 10 CWEs in this category. Insecure Deserialization is now a part of this growing category.
Vulnerable and Outdated Components
- Previously called Using Components with Known Vulnerabilities, this is a known issue that OWASP struggles to test and assess risk. It is the only category not to have any CVEs mapped to the included CWEs, so a default exploit and impact weights of 5.0 are factored into their scores.Log4J highlights the importance of this lesson. Most of our customers have told us this is one of their biggest AppSec problems.
OWASP Top 10 Courses Offered By HackEDU And What Skills Your Developers Will Gain
“They” say the devil is in the details. Well, here are some details to know when it comes to what you can expect from HackEDUs training platform. There are over 115+ lessons on the platform to teach dev secure code. We constantly update and add to the lessons which will encourage your dev team to engage and learn, giving your site the security you and your users deserve.
All the lessons within our platform apply best training practices to new areas to better inform developers how to identify and fix vulnerabilities.
Our “Best In Class” Features:
Offensive/defensive training combined
Learn secure coding through writing code
Purposely built for developers by a CISO and a Software Engineer
Integrations with SAST/DAST tools that drive adaptive training
Robust admin features for managing users, training plans, and reporting
Your dev team will get extensive training and the ability to practice their skills in a sandbox. Our PCI Developer Training includes the following OWASP Top 10 lessons.
Newly released lessons on the HackEDU platform:
Insecure Design is a new category that focuses on design flaws.
- Define and exploit an Insecure Design Vulnerability.
- Interpret threat models.
- Remediate with coding.
Server-Side Request Forgery (SSRF) is new to the OWASP top 10, and comes in as the number one greatest vulnerability.
- Exploit a Server-Side Request Forgery Vulnerability.
- Remediate URL allowlist validation.
Also included and updated regularly:
Broken Access Control:
- Learn how attackers bypass access controls to do something without necessary authorization.
- Learn how to discover and exploit Command Injection attacks.
- Discover timing based network attacks, and how to use them within the context of blind command injection.
- Learn how to protect against OS Command Injection attacks by using safe functions, input validation, and allow-listing.
- Fix an OS Command Injection attack in your language of choice.
- Learn how attackers inject commands into the Operating System.
Cross-Site Request Forgery
- Learn how to discover and exploit cross-site request forgery.
- Learn how to protect against CSRF attacks with trusted libraries and nonces.
Cryptographic Failures: Once known as Sensitive Data Exposure
- Learn how attackers gain access to sensitive data by being man-in-the-middle or attacking encryption.
Identification and Authentication Failures (Was previously named Broken Authentication and Session Management):
- Learn about brute forcing authentication and how to mitigate throttling.
- Learn about weak session management and how to store session information correctly and why not to store the information in cookies.
- Learn about how to store passwords and why plain text or a simple hash is not safe.
- Learn about invalidating sessions on logout.
- Fix the way a web app handles sessions in your language of choice.
Insecure Deserialization: This is now part of a new, broader category called Software and
Data Integrity Failures
- Learn how attackers try to exploit deserialization and how to protect against issues
Security Logging and Monitoring Failures:
- Learn how having insufficient logging and monitoring can affect your data application
- learn how to fix them through interactive lessons within a sandbox.
- Understand the dangers of information exposure (web server & version, stack traces, Index Of pages, etc).
- Learn the importance of not using default usernames and passwords.
- Learn how to discover and exploit SQL Injection attacks.
- Learn how to protect against SQL Injection attacks with parameterized queries.
- Fix a vulnerable SQL query in your language of choice.
Vulnerable and Outdated Components (previously called Using Components with Known Vulnerabilities):
- Learn how to use security misconfiguration (exposing stack traces) to discover libraries that are known to be vulnerable.
- Successfully exploit a vulnerable library described in a CVE.
- Learn best practices for keeping libraries up to date with security patches.
XML External Entities
- Learn how to discover and exploit XXE attacks.
- Craft an XML payload that steals the /etc/passwd from your sandbox, and steals a secret key from an internal service on the sandbox’s network.
- Learn how to protect against XXE attacks with proper parser configuration.
- Fix a vulnerable XML parser in your sandbox using your language of choice.
Learn about reflected, stored, and DOM XSS attacks.
- Learn how to discover and exploit XSS attacks.
- Learn how to protect against XSS attacks by using input/output validation, and frameworks.
- Fix a XSS vulnerability in the sandbox using your language of choice.
For more information about the new OWASP top 10, what’s changed, and what you need to do, please watch our free webinar.
The Strategy Behind the Updates
Because we had such deep coverage within the OWASP top 10 lessons, we only needed to add the two new lessons, SSRF and Insecure Design, for the updated vulnerabilities.
With that being said, we reorganized the rest of the lessons to be in line with the new OWASP list.
Languages HackEDU Offers Lessons In
We support most languages and frameworks.
To learn more about HackEDUs cybersecurity hands-on, interactive training, please visit our site. Registration is free, and you can play around with a few different scenarios within the virtual sandboxes.