The OWASP Top 10 is the ultimate guide to the threats and remediations that companies should address, ranked in order of risk. It’s easy to understand, it helps users prioritize risk, and it’s actionable.
Let’s take a quick look at how OWASP explains their three new critical risk categories added for 2021:
- Insecure Design: A focus on risks related to design flaws. It calls for further use of threat modeling, secure design patterns, principles, and reference architectures. One of the factors that contribute to insecure design is the lack of inherent business risk profiling in the software or system being developed, thus the failure to determine what level of security design is required to begin with.
- Software and Data Integrity Failures: Software and data integrity failures relate to code and infrastructure that does not protect against integrity violations. An example of this is where an application relies upon plugins, libraries, or modules from untrusted sources, repositories, and content delivery networks (CDNs). An insecure CI/CD pipeline can introduce the potential for unauthorized access, malicious code and system compromise. Lastly, as OWASP writes, many applications now include auto-update functionality, where updates are downloaded without sufficient integrity verification and applied to the previously trusted application. Attackers could potentially upload their own updates to be distributed and run on all installations, similar to what we saw in the SolarWinds attack.
- Server-Side Request Forgery: Interestingly, this category represents a scenario that the security community is telling us is important, even though it’s not illustrated in the data at this time. SSRF flaws occur whenever a web application is fetching a remote resource without validating the user-supplied URL. It allows an attacker to coerce the application to send a crafted request to an unexpected destination, even when protected by a firewall, VPN, or another type of network access control list (ACL). As modern web applications provide end-users with convenient features, fetching a URL becomes a common scenario. As a result, the incidence of SSRF is increasing. Also, the severity of SSRF is becoming higher due to cloud services and the complexity of architectures.
The OWASP mission is to improve software security through open source initiatives and community education.
Catch up with the full OWASP Top 10 here: