What’s Next? – OWASP Top 10 2021

Due to the urgent context changes in our work and life today, resilience and adoption were amongst our most essential attributes to utilize. One of the effects of these changes peaked in a never-seen digital transformation (e.g., zoom boom). This transformation is viable only if it stands on solid foundations. Security is one of the main building blocks that also requires adoption, reconsideration from our side.

Top 10 OWASP Vulnerabilities‌

A recent, non-official proposal from Ivan Wallarm for OWASP top 10 inspired us to take a look at this famous project once again which influences our tech industry so much. Adoption and resilience are impossible without honestly admitting that security is still considered a stepchild. This fact is also highlighted by a recent FOSS (Free and Open Source Software) survey concluding that contributors spend less than 3% of their time on security issues. The threat vectors of the OWASP list are coming from various sources including security vendor reports and bug bounties. We have to wait for the official candidates, though the dataset is already in place as Martin Knobloch, a member of the OWASP Global Board, shared it with us. Ivan’s non-official proposal for OWASP top 10 2021 brings only a few changes and plays more with the priorities. Let’s go deeper to reveal why.

Ivan Wallarm’s non-official proposal for OWASP top 10 2021

A1 Injections

Interestingly, injections are still leading the list due to a large number of legacy systems we need to maintain as Martin highlighted. Modern software is typically armored by frameworks, libraries, and programming languages (e.g., ORMs, LINQ for C#) to protect against A1 to a certain extent. Still, even these aids may fail to provide a complete solution as emphasized in a Snyk post by Guy Podjarny.

A2 Broken Authentication

Broken authentication is not only about credential misuse (e.g., using stolen usernames and passwords) as one might interpret it, but also refers to attacks exploiting session management (e.g., session hijacking, fixation attacks) that entitles miscreants to act on behalf of an impersonated user. The exposure of our systems has saturated even more today with the increasing popularity of identity-as-a-service platforms such as Auth0 or Okta. This recognition is also reflected by the possible weaknesses of these platforms as proved by authentication bypass attacks such as improper JSON Web Token invalidation found in Auth0 earlier in 2018.

A3 Cross-site Scripting (XSS) /A7 in the 2017 list/

“XSS is dead. We just don’t get it.”

as highlighted by Mario Heiderich, security researcher and founder of Cure53, in his talk on Appsec EU 2018. Still, for various reasons XSS is amongst the most popular attack vectors today that affected even the biggest names in the industry (e.g. XSS on Google Search). A successfully executed XSS attack allows malicious actors to masquerade as legit users and use their privileges for lateral movement and/or sensitive data exposure. In 2020, companies paid 4,2M USD for XSS bounties via the HackerOne bug bounty platform exceeding last year’s spendings by 26%.

A4 Sensitive Data exposure /A3 in the 2017 list/

Security breaches mostly end up in this category (e.g., 10.88 billion records from CAM4 in March 2020 ). Due to the lack of or weakly configured encryption algorithms, and misunderstood threat models, attackers can get access to private data in transit or at rest. There are various technical (e.g., use of strong encryption algorithms) and non-technical initiatives ( e.g., GDPR, CCPA) to alleviate this issue. Troy Hunt’s “Have I been pwned” site is another approach as well as a great source of information that helps determine whether our email address was part of any security breach.

A5 Insecure Deserialization (merged with XXE) /A4 and A8 in the 2017 list/

Insecure Deserialization exploits the process of transforming structured data (e.g., typically JSON, XML) into objects (e.g. Java Objects). Conceptually, XML eXternal Entities (XXE) is very similar to that. That’s why Ivan suggested merging them, though they are radically different from a defense point of view as Jim Manico, a secure coding instructor at Manicode Security, highlighted it. The exploitation of this category is not that wide compared to other vectors, still, the impact can be as serious as Remote Code Execution (e.g. CVE-2018-7489).

A6 Broken Access Control /A5 in the 2017 list/

Broken Access Control as we explain it with a bit more details in our earlier post is a type of vulnerability that allows attackers to trick authorization mechanisms to gain access to limited resources. Authorization problems are more difficult to detect automatically so it is quite hard to tell the real exposure of this threat. One of the biggest problems is the lack of centralized authority checks (e.g., ad-hoc annotations and “if” conditions cause serious complications) which could provide a single entry to our resources. A great example of Broken Access Control was found recently by Rahul Kankarle in the Workplace app of Facebook.

A7 Insufficient Logging and Monitoring /A10 in the 2017 list/

Insufficient logging and monitoring are not vulnerabilities on their own, however, they amplify the damage attackers may cause. The notorious Solarwinds breach is just one of many examples of highly sophisticated APTs (i.e. Advanced Persistent Threats) where attackers could stay under the radar for months causing enormous damage meanwhile. For this reason, the better the monitoring system we implement and maintain (e.g. with low false hits), the more apt we are to act upon such breaches.

A8 Server-side Request Forgery (SSRF) /NEW candidate/

This threat vector is getting more and more popular today where attackers enforce HTTP requests on behalf of an application server to access internal or external resources. As the request itself is coming from a legitimate source, applications may not take care of it (e.g., visiting an internal admin site from localhost). To understand better why SSRF is a new candidate in Ivan’s top 10, it is worth checking out this recent $10K bounty found on Facebook. Here, for example, malicious users could have sent requests to the Facebook corporate network, which doesn’t sound uplifting from a defense point of view.

A9 Known Vulnerabilities /No change/

Most of our software depends on 3rd-party components. According to the earlier mentioned FOSS survey, “it has been estimated that FOSS constitutes 80-90% of any given piece of modern software.” It doesn’t matter what stronghold we build to protect our applications (e.g., proper containerization, perimeter security, and so on) if the core of the problem lies within the application itself. A successfully executed attack can access all the resources that the infected software can under normal circumstances. Known vulnerabilities are low-hanging fruits for script kiddies also, still, their impact can be devastating. See the Equifax breach from 2018 as a reference point.

A10 Security Misconfiguration /A6 in the 2017 list/

Security misconfiguration is not a novel idea, it has been with us since modern computer science exists. Still, the recent shift towards cloud-native operation bubbled up various security issues fading a little bit the unquestionable advantages of fast deployment cycles, scalability, and reliability. It turns out that leaky AWS S3 buckets are a commodity nowadays exposing massive amounts of data “for public use”. On top of that, by the virtualization of hardware devices, we put more and more responsibility on our software and simultaneously opening the door to a wider range of attacks. Though, we automate almost every such configuration step with Infrastructure as Code tools (e.g. Terraform, Ansible), it seems that from a security point of view there is still a lot to do to avoid such mistakes.

Conclusion

Software security issues, like any other challenge in our lives, need to be handled at the right time to reduce the costs of remediation later on. An even wiser strategy is to think in advance by defining security KPIs using BSIMM, for example, to build a more robust software organization. Due to the popularity of OWASP top 10 though, many consider it as a checklist to fulfill so they can slip back to their ordinary convenience of ignorance. The value of the top 10 is indisputable, still, it won’t bring any fundamental changes on its own.
‌
What we need to do is to rinse and twist our processes a little bit to give a flourishing ground for developers to work at. We cannot blame them for not investing time into security until they lack the knowledge and opportunity to resolve problems in time. Most of our headache is rooted in a single term which is called afterthought. When a breach happens or a non-secure code is in the release pipeline already, it’s too late. We missed the opportunity to deliver more secure software. It doesn’t matter how we train, push, and squeeze our people from this point on, security will be an interrupt which naturally causes resistance. That’s why DevSecOps is a great idea, however, we couldn’t fit security training into this lifecycle yet.
‌
At Avatao, we believe in proactive, context-aware (e.g. related to the tasks of active sprint) and custom-tailored (i.e. technology-wise) training that brings no interruption in production. The key here is timing: learn security when designing a specific functionality. Simply because this is the very moment when ideas spark, and this is the moment when developers are willing to learn something new, including security. Delivering context-relevant training in this phase gives developers time to envision and implement software with a security mindset which finally brings a more joyful journey and product experience.