OWASP Top 10 2021: What’s changed?

The OWASP Top 10 is a list for IT developers that provides an overview of the most critical security risks to web applications. The list is created based on data analytics as well as survey results from IT security professionals. This data includes 2 million security reports from 144 public sources, including CVE bulletins, bug bounty reports, and vendor security bulletins. OWASP also uses social media channels, a project website page, and corporate partnerships to solicit data. Such partnerships include organizations testing vendors by trade, bug bounty vendors, and firms contributing internal testing data.

About OWASP Top 10

Companies in every industry are incorporating insights from the OWASP Top 10 list into their security protocols and training to ensure risk management. If you’re charged with securing IT for your organization, integrating the OWASP Top 10 into your software development culture is foundational. The OWASP Top 10 provides insights into risk assessments and vulnerability management. It is regularly consulted by IT professionals for education purposes.

OWASP Top 10 data collection was established at the Open Security Summit in 2017. OWASP Top 10 leaders, along with the security community, spent two days working out how to formalize a transparent data collection process. The Summit’s decision to include surveys instead of just relying on data reports was extremely important.

Since data alone is retroactive, new and emerging security risks may not be appropriately measured, as it takes time to integrate vulnerability tests into tools and processes. In fact, AppSec researchers note that reliably testing a weakness at scale can often take years.  To balance this, OWASP incorporates community surveys that ask application security and development experts on the front lines what they view as essential weaknesses. By incorporating surveys, OWASP can get a perspective of security threats in real time from the people who deal with them each and every day.

To analyze the data, OWASP aggregates it and runs a fundamental analysis of which common weakness enumerations (CWEs) map to risk categories. There is overlap between some CWEs that are very closely related (ex. cryptographic vulnerabilities). Because of this overlap, OWASP Top 10 is not a vulnerability classification, but rather a list of the risks that have been revealed.

OWASP Top 10 2017 categories overlaps

Data Factors

How does OWASP analyze their data? They look for the following indicators:

• CWEs Mapped: The number of CWEs mapped to a category by the Top 10 team.
• Incidence Rate: Incidence rate is the percentage of applications vulnerable to that CWE from the population tested by that organization for that year.
• (Testing) Coverage: The percentage of applications tested by all organizations for a given CWE.
• Weighted Exploit: The Exploit sub-score from the Common Vulnerability Scoring System 2 (CVSSv2) and CVSSv3 scores assigned to common vulnerabilities and exposures (CVEs) mapped to CWEs, normalized, and placed on a 10pt scale.
• Weighted Impact: The Impact sub-score from CVSSv2 and CVSSv3 scores assigned to CVEs mapped to CWEs, normalized, and placed on a 10pt scale.
• Total Occurrences: Total number of applications found to have the CWEs mapped to a category.
• Total CVEs: Total number of CVEs in the National Vulnerability Database (NVD DB) that were mapped to the CWEs mapped to a category.

The 2021 List

Data Gathering Changes

Previous data collection efforts were focused on 30 CWEs with a field asking for additional findings. However, when contributing data, organizations would often focus on just those 30 CWEs and rarely add additional CWEs they saw.

For the 2021 OWASP Top 10, respondents were simply asked for data, with no restriction on CWEs.

Surveyors were asked for the number of applications tested for a given year (starting in 2017), and the number of applications with at least one instance of a CWE found in testing.

This format allowed the prevalence of each CWE within the population of applications to be tracked.

Frequency was ignored as it only hid the actual prevalence in the application population. Whether an application has four or 4,000 instances of a CWE is not part of the calculation for the Top 10.

This change in methodology increased the number of CWEs from 30 to almost 400. This significant increase in the number of CWEs necessitates changes to how the categories are structured.

There are two types of CWEs: root cause and symptom. Root cause types are things like “Cryptographic Failure” and “Misconfiguration,” while symptom types would include “Sensitive Data Exposure” and “Denial of Service.” The Top 10 has always been a mix of both symptoms and root causes. CWEs are also a mix of symptoms and root causes.

However, OWASP tends to focus on the root cause whenever possible, as that makes more sense when you need to provide identification and remediation guidance.

There is an average of 19.6 CWEs per category in the 2021 installment, ranging from 1 CWE for A10:2021-Server-Side Request Forgery (SSRF) to 40 CWEs in A04:2021-Insecure Design. This updated category structure offers additional training benefits as companies can focus on CWEs that make sense for a language/framework.

Category Changes

A few categories have changed from the previous installment of the OWASP Top 10. Here is a list of the category changes and why they were made:

• A01:2021-Broken Access Control moves up from the fifth position to the category with the most serious web application security risk; the contributed data indicates that on average, 3.81% of applications tested had one or more Common Weakness Enumerations (CWEs) with more than 318k occurrences of CWEs in this risk category. The 34 CWEs mapped to Broken Access Control had more occurrences in applications than any other category.

• A02:2021-Cryptographic Failures shifts up one position to #2, previously known as A3:2017-Sensitive Data Exposure, which was a broad symptom rather than a root cause. The renewed name focuses on failures related to cryptography, which it only implicitly referred to before. This category often leads to sensitive data exposure or system compromise.

• A03:2021-Injection slides down to the third position. 94% of the applications were tested for some form of injection, with a max incidence rate of 19% and an average incidence rate of 3.37%. The 33 CWEs mapped into this category have the second highest number occurrences in applications at 274k. In the new edition, Cross-Site Scripting is now part of this category.

• A04:2021-Insecure Design is a new category for 2021, with a focus on risks related to design flaws. If we genuinely want to “move left” as an industry, we need more threat modeling, secure design patterns and principles, and reference architectures. Perfect implementation will not fix insecure design since by definition, needed security controls were never created to defend against specific attacks.

• A05:2021-Security Misconfiguration moves up from #6 in the previous edition; 90% of applications were tested for some form of misconfiguration, with an average incidence rate of 4.5%, and over 208k occurrences of CWEs mapped to this risk category. With more shifts into highly configurable software, it’s not surprising to see this category move up. The former category for A4:2017-XML External Entities (XXE) is now part of this risk category.

• A06:2021-Vulnerable and Outdated Components was previously titled Using Components with Known Vulnerabilities and is #2 in the Top 10 community survey, but also had enough data to make the Top 10 via data analysis. This category moves up from #9 in 2017 and is a known issue that we struggle to test and assess the risk of. It is the only category not to have any Common Vulnerability and Exposures (CVEs) mapped to the included CWEs, so a default exploit and impact weights of 5.0 are factored into their scores.

• A07:2021-Identification and Authentication Failures was previously Broken Authentication, and is sliding down from the second position. It now includes CWEs that are more related to identification failures. This category is still an integral part of the Top 10, but the increased availability of standardized frameworks seems to be helping.

• A08:2021-Software and Data Integrity Failures is a new category for 2021, focusing on assumptions made related to software updates, critical data, and CI/CD pipelines without verifying integrity. One of the highest weighted impacts from Common Vulnerability and Exposures/Common Vulnerability Scoring System (CVE/CVSS) data mapped to the 10 CWEs in this category. A8:2017-Insecure Deserialization is now a part of this larger category.

• A09:2021-Security Logging and Monitoring Failures was previously A10:2017-Insufficient Logging & Monitoring and is added from the Top 10 community survey (#3), moving up from #10 previously. This category is expanded to include more types of failures, is challenging to test for, and isn’t well represented in the CVE/CVSS data. However, failures in this category can directly impact visibility, incident alerting, and forensics.

• A10:2021-Server-Side Request Forgery is added from the Top 10 community survey (#1). The data shows a relatively low incidence rate with above average testing coverage, along with above-average ratings for Exploit and Impact potential. This category represents the scenario where the security community members are telling us this is important, even though it’s not illustrated in the data at this time. As Ivan Wallarm states in his OWASP Top 10 2021 proposal, “SSRF is a critical issue that causes cloud takeovers, remote code execution, data breaches, and other information security risks. It’s impossible to fix SSRF by input filtration and other data validation mechanisms. Amazon and other cloud providers take it seriously and apply changes to their infrastructures to mitigate these threats. SSRF issues mentioned in almost the same amount of security bulletins as XXE in the last three years.”

Source: https://lab.wallarm.com/owasp-top-10-2021-proposal-based-on-a-statistical-data/

Conclusions

It is essential to familiarize yourself with and build safeguards against the OWASP Top 10 Security Threats. The information seen in the reports can sometimes be difficult to understand and draining to read. Luckily, the foundations of OWASP’s list are integrated into Avatao’s exercises. After just a few tutorials and challenges, you’ll be well on your way to ensuring your organization is up-to-date on the latest security threats. Give Avatao a try today!