Published on
This article is based on ‘Top 10 Biggest Security Threats to Your Products,’ a webinar hosted by Mike Burch, Security Journey’s Director of Application Security.
The OWASP Top 10 for web application security risks is the most well-known OWASP list, but did you know there are at least eight other "top ten" lists in the OWASP universe? As security professionals, it's important to comprehensively understand new technologies and the associated application security issues with each type of tech.
Mike Burch and his team took the time to evaluate these lists and compile what we believe is a list to rule them all – the biggest threats to our products across the different technologies.
Top Ten Lists, Purpose, And the Makings Of Our Own
Top Ten Lists are created primarily to educate people on the most common and important security concepts for a given technology. They play a crucial role in ensuring that teams across the industry have a shared understanding of threats and generalized strategies to mitigate them.
Read More: The Value of Security Education for Developers
There are many similarities between the issues we face across application and product security. That is why you will often see overlap across the top ten lists within the industry. We hope that the Top Ten Master List can be used by anyone building products to gain a better understanding of the different security threats and mitigation strategies they should take.
Let’s Dive In!
1. Misconfigurations And Insecure Defaults
Lists Included: Web Apps, IoT, Mobile, Docker, API, Embedded
Allowing products to go out without being hardened or secured. One of the most significant issues is that organizations pull a product out of the box without changing the defaults. These defaults will be wide open to attacks. This top ten item includes insecure default configurations on operating systems, frameworks, libraries, and applications and a lack of implementation of environmental security guidelines.
Mitigation strategies include:
- Implement a repeatable hardening process
- Products should ship in a secure default state
- Embrace the fail-safe architecture
2. Broken Authentication
Lists Included: Web Apps, IoT, Mobile, Docker, API, Embedded
This is not about the authorization (what I’m allowed to do); it’s about the authentication (who I am), so this list item is about breaking into a system by pretending to be someone I’m not, including incorrect implementation of authentication application functions and session management.
Mitigation strategies include:
- Enforce authentication on the server-side/backend
- Enable multi-factor authentication
- Leverage vetted libraries for authentication over self-implementations
3. Insecure Network Services and Communication
Lists Included: Web Apps, IoT, Mobile, Docker, API, Embedded
This deals with unneeded insecure network services and things that allow remote control on a system, the vulnerable exchange of data between clients and servers, the assumption of trust between resources on the network, and side-channel vulnerabilities.
Mitigation strategies include:
- Apply TLS to transport channels
- Use robust and industry-standard cipher suites with appropriate key lengths
- Protect remote control services with strong authentication and cryptographic controls
4. Sensitive Data Exposure
Lists Included: Web Apps, IoT, Mobile, Docker, Embedded
When we have sensitive data, we have to ensure those who shouldn’t have access don’t have access.
This top eleven item includes improperly protecting sensitive data, such as financial, healthcare, and PII, while in use, at rest, and in transit.
Mitigation strategies include:
- Classify data and know what you’re storing and why
- Encrypt all sensitive data at rest and in transit
- Threat model to look for aggregated exposure of sensitive data
5. Third-Party Software
Lists Included: Web Apps, IoT, Mobile, Docker, Embedded
This encompasses all of our software supply chain vulnerabilities, such as libraries, frameworks, and other software modules used within an existing system and containing known vulnerabilities.
Mitigation strategies include:
- Continuously inventory the versions of both client-side and server-side components and their dependencies using analysis tools
- Only obtain components from official sources as signed packages over secure links
- Implement a process to vet all third-party components before use
6. Broken Authorization
Lists Included: Web Apps, Mobile, API, Embedded
When someone wants to do something in my system, I should be doing check to make sure you should be in the system. A lack of adequate enforcement of authenticated user activity restrictions allowing access to unauthorized user and admin functionality and data.
Mitigation strategies include:
- Deny by default and implement authorization centrally
- Verify roles and permissions on the server side and never trust security information from the client side
- Ensure to check authorization before execution of any sensitive function
7. Insecure Update and Patch Process
Lists Included: Web Apps, IoT, Docker, Embedded
This goes back to maintaining a system to keep it as secure as the date it was created, but also in the future. This can range from a lack of ability to patch—security vulnerabilities to compromised software in the update chain.
Mitigation strategies include:
- Secure design is critical to ensure there is a plan in place to push security updates and patches
- Use digital signatures and integrity checks to ensure updates and patches have not been tampered with
8. Lack of Validation
Lists Included: Web Apps, Mobile, Embedded
This top ten item includes many items, including command injection, SQLi, XSS, XXE, insecure deserialization, and business logic exploits from input that is not validated before being put into the system.
Mitigation strategies include:
- Practice ‘safe list’ input validation
- Always validate data from untrusted sources before using it
- Use LIMIT1 With SQL to minimize blast radius
9. Missing Resource and Rate Limiting
Lists Included: Docker, API, Embedded
The lack of capability to handle large amounts of attack traffic or requests, manipulation of an interface to return unreasonable amounts of data, and the usage of a given security feature multiple times with no limitations or the exhaustion of resources.
Mitigation strategies include:
- Architect infrastructure to handle large influxes of attack requests
- Threat model and examine features that use rates and resources
- Server-side ‘safe-list’ input validation
10. Logging And Exception Limitations
Lists Included: Web Apps, Docker, API
Logging and exceptions cover properly tracking what is happening in your system. These limitations allow attackers to attack systems further, maintain persistence, pivot to more systems, and tamper, extract, or destroy data without knowledge from a security operations center or the developers.
Mitigation strategies include:
- Log all knowledge of authentication and authorization failures
- Establish effective monitoring and alerting of suspicious activities that are detected
- Use a Security Information and Event Management System to manage all logs from components
What Lists Are You Watching?
By creating this master top ten list, we hope to continue to embrace the commonalities and work to secure your products and apps, regardless of where they fall on the technology spectrum.
You can learn more about our recommended mitigation strategies from Mike Burch on his webinar – Top 10 Biggest Security Threats to Your Products. You can teach mitigation strategies with Security Journey’s enterprise-class application security training content; learn more today.
