The OWASP Top 10 document details the top 10 web application risks security professionals and organizations should look out for and address. Not long ago, the OWASP community updated its list for the first time in four years. Let’s see what the changes are and how identity-based access can help protect against the biggest risks.
To read more about OWASP Top 10 and why it’s important, click here.
OWASP (Open Web Application Security Project) is a non-profit, open and online community for sharing knowledge and resources. Every few years, the community publishes a list of the most prevalent web application risks, alongside remediation suggestions. This actionable list is considered an industry consensus and by following it, engineering and security professionals can help ensure their organizations’ applications are not at risk.
The updated OWASP Top 10 list was created based on a new methodology: more than 1.5 million data points were analyzed, and survey data from security professionals was also included. This resulted in a new understanding of the most important web application security threats today.
Broken Access Control [MOVED UP] – Access control to functions and data that isn’t enforced
Cryptographic Failures [MOVED UP & UPDATED] – Sensitive data that is exposed due to cryptography issues
Injection [MOVED DOWN] – SQL, NoSQL, OS and LDAP injections. Read more here.
Insecure Design [NEW] – Design flaws that require threat modeling, reference architectures and secure design patterns and principles
Security Misconfiguration [MOVED UP & UPDATED] – Configurations that are outdated, incomplete or misconfigured. Also includes the previous Sensitive Data Exposure – XML External Entities category – Disclosure of internal files by external entities in XML processors
Vulnerable and Outdated Components [MOVED UP] – Running vulnerable components that have application-level privileges.
Identification and Authentication Failures [MOVED DOWN] – Incorrect implementation of authentication methods. Read more here.
Software and Data Integrity Failures [NEW] – Assumptions related to critical data and lack of integrity verification of CI/CD pipeline. Also includes the previous Insecure Deserialization category – flaws leading to remote code execution, injection attacks, and more.
Security Logging and Monitoring Failures [MOVED UP & UPDATED] – Lack of auditing and incident response tools that impact visibility, forensics and alerts.
Server-Side Request Forgery [NEW] – Inducing a server side application to make requests to a location unintended by the user.
Vulnerabilities removed from the new list:
Cross-Site Scripting XSS – Flaws due to data not being validated
Identity-based access ensures that every user and device is verified before they are given access to network apps and assets. Instead of granting access based on inherited parameters like network origin or domain membership, identity-based access – as it names implies – authorizes and then continuously authenticates users based on their identity.
As a result, identity-based access can help prevent attacks listed in the OWASP Top 10. This is thanks to the continuous verification mechanism as well as the inability of attackers to gain visibility into potential OWASP application vulnerabilities. Perimeter-based solutions, by marked contrast, lack ongoing authentication and provide much greater visibility (potentially, even full visibility) for attackers who manage to enter the system. Sometimes, users are even tunneled in, as is the case with VPNs.
In addition, identity-based access enables the adding of stronger security controls. These controls serve as an extra security layer for reducing the attack surface and protecting from OWASP security risks. These include:
WAFs (Web Application Firewalls) – WAFs filter, monitor and block traffic to applications. They can help protect from injections (3), XML external entities (5), insecure deserialization (8) and using vulnerable components (6).
SSO – (Single Sign-On) – SSO, an authentication method that enables logging in with one set of credentials, helps prevent authentication errors (7).
RBAC – Role-based access control (RBAC) restricts system access for unauthorized users and helps prevent broken access control (1). Coupled with virtual patching, RBAC also prevents sensitive data exposure (2) security misconfigurations (5) and server-side request forgery (10).
Auditing and logging – Identity-based access solutions monitor, audit and record user actions in the network. This provides visibility, enables tracing suspicious actions and remediating issues to prevent insufficient logging and monitoring (9).
Security by design – Identity-based access provides security by design at minimum effort for all systems and applications, and including cases where the system protected is insecure. This aligns to the need for dealing with insecure design (4).
Identity-based verification – Identity-based access helps prevent failures and integrity issues (8).
Eran Shmuely is the Chief Architect and Co-Founder of Cyolo. Prior to Cyolo, Eran was the Senior Security Engineer at Salesforce and the Open-Source Security Research Leader at GE Digital.