Equip your developers with relevant knowledge on OWASP Top 10 vulnerabilities
OWASP top 10 offers the most important guidelines for building and maintaining software with better security practices. When it comes to protecting our businesses, understanding these threat vectors can lead to a more systematic approach. But it also alerts us to the fact that security doesn’t stop here. At Avatao, we compiled several exercises that help our clients take a deeper look into the most popular vulnerabilities reported by the OWASP community.
Discover Avatao’s OWASP Top 10 training
Topics developers can practice through real-life scenarios include:
1. Broken access control
Broken access control is a type of vulnerability that, due to restrictions not being properly enforced, allows attackers to gain access to restricted resources by tricking authorization mechanisms.
2. Cryptographic failures
Sensitive data exposure has been expanded to this category since 2017 as cryptographic failures such as the weak or incorrect use of hashing, encryption or other cryptographic functions were the real root causes of this problem.
Injection flaws such as SQL, NoSQL, or Command happen when, as part of a command or query, untrusted data is sent to an interpreter. The attacker’s data is able to make the interpreter execute unwanted commands, or even access unauthorized data. Cross-site Scripting (XSS) is now part of this category as well.
4. Insecure design
Due to weak use of secure design patterns, principles, and reference architectures, serious weaknesses and flaws stay under the surface no matter how perfectly we implement a software. This new category in 2021 also includes threat modeling, which is an essential tool to identify security issues in the earliest phase.
5. Security misconfiguration
Incomplete and rarely updated configurations, open cloud storages, and error messages containing sensitive information often lead to security issues. External XML Entities (XXE) is now merged into this category.
6. Vulnerable and outdated components
This category was renamed from “Using components with known vulnerabilities”. Various attack vectors are opening up from outdated open-source and third-party components. APIs and applications using components with known vulnerabilities can easily eliminate application defenses, leading to a variety of attacks.
7. Identification and authentication failures
Previously known as “Broken Authentication”. When authentication functions of applications are not implemented properly, attackers can easily misuse passwords, session tokens, or keys, and take advantage of other flaws in order to impersonate other users.
8. Software and data integrity failures
If the integrity of software updates and CI/CD pipelines are not verified, malicious actors can alter critical data that affects the software being updated or released. The earlier entry “Insecure Deserialization” was also merged into this category.
9. Security logging and monitoring failures
This category was previously called “Insufficient Logging & Monitoring”. When weakly applied, attackers can stay under the radar for months and cause enormous amounts of damage. Meanwhile, they are opening the door to further exploit systems, and to tamper with, extract, or destroy data.
10. Server-side request forgery
This threat vector, in which attackers enforce requests on behalf of an application server to access internal or external resources, is becoming more and more popular. As the request itself is coming from a legitimate source, applications may not take any notice of it (e.g., visiting an internal admin site from localhost).
Learn more about OWASP topics
Find out more about the OWASP Top 10 security topics Avatao covers, and try related exercises:
Get started with OWASP Top 10 training
Get in touch with our team and find out how your development team can benefit from an OWASP Top 10 training.
Copyright © 2022 Avatao