OWASP Top 10 2021 – This year OWASP Organization which also stands for Open web application security project, has released a new installation draft, consisting list of new TOP 10 Vulnerabilities. In March 2021 our founder Mr. Kaustubh Shinde, officially joined the OWASP as a member, hence we are sharing the details of the new Installment for the year 2021.
Note: This is a draft, released for peer review and all the credits for this information goes to OWASP and the countless organizations who donated the data for the new list of OWASP Top 10 2021 Vulnerabilities.
What’s new this year’s list of OWASP Top 10 2021?
A01:2021-Broken Access Control – Now this year, broken access control has moved up from 5th position to the 1st position as the analysis proved that 94% of the application were tested for some form of Broken access control vulnerability. Furthermore, 34 CWEs mapped to the same vulnerability had more occurrences in the applications compared to any other category.
A02:2021-Cryptographic failures – This vulnerability was previously known as “Sensitive data exposure”, has moved up from 3rd position to 2nd position this year. Sensitive data exposure, in reality was more of a “broad concept” then the “root cause” itself, so this year, the focus was on the weakness of “Cryptography” which often leads to sensitive data exposure or system compromise.
A03-2021-Injection – Injection was on the “1st Position in the list 2017” now this year, it slides down to the 3rd position. It was found that 94% of the applications which were tested were vulnerable to some form of Injection attack, including the Cross site scripting (XSS). Hence OWASP decided to add the XSS into the “Injection” category, 33 CWEs were mapped to the same vulnerability, have the second most occurrences for which most of the applications were tested.
Also Read – Web Application Security – Comprehensive guide for beginners.
A04-2021-Insecure Design – This is a new “Vulnerability category” for this year 2021, which focuses on the “Design flaws”. With MERN Stack taking up the development industry by storm, we have seem it getting more popular than LAMP Stack, furthermore, new technologies like, Blockchain, AI & ML have gave birth to “Decentralized Applications & Programs”. Considering all this, if we genuinely want to improve the posture of Web Application Security & Cyber Security as whole, then we should learn and adapt to the use of threat modeling, secure design patterns and principles, and reference architectures, even more than ever.
A05-2021-Security Misconfiguration – This year has moved up from 6th position to 5th position, in the previous 2017 edition, 90% of the applications were seen vulnerable to some form of security misconfiguration, with industry moving towards more “highly configurable” applications, so, it is no new that the security misconfigurations will increase, thus resulting in the rise of position. The former category XML External Entities (XXE) is now also a part of this category.
A06-2021-Vulnerable & Outdated Components – This category was previously known as “Using components with known vulnerabilities”. In the survey industry is on the 2nd position, however, it also had enough data to make it to the 1st position of the Top 10 list with data analysis. This category moves up from 9th position to 6th position this year, it is a known issue, but OWASP face struggle to test it and assess the level of risk it posses. It is the only category not to have any CVEs mapped to the included CWEs, so a default exploit and impact weights of 5.0 are factored into their scores. We believe in the final release, the position of this category is suspected to change, but we have to wait for the results.
A07-2021-Indentification and Authentication failures – This category previously was known as broken authentication, is sliding down from 2nd position in the list of 2017 to 7th position in this new list of 2021. This category now also includes CWEs that are related to identification failures, it is still an integral part of OWASP top 10 list, however, it seems that the availability of standardize frameworks seems to be helping.
A08-2021-Software data & Integrity failure – Another new category introduced for the list of 2021 which focuses on the assumption related to the software updates, critical data & CI/DI pipelines without verifying its integrity. This category has one of the highest weighted impacts from CVE/CVSS data mapped to the 10 CWEs in this category. Because of which, insecure deserialization from 2017 is now also a part of this larger category.
A09-2021-Security logging & monitoring failure – In the list of 2017 it was previously known as “Insufficient logging & monitoring” has now moved up from 10th position to 9th position this year. According to the OWASP this category is expanded to include more types of failures. However, it is challenging to test for and isn’t well represented in the CVEs/CVSS data. But, failures in this category can directly impact visibility, incident alerting, and forensics.
A10-2021-Server side request forgery (SSRF) – This category shows relatively low testing coverage from the above list of categories, along with above-average rating for Exploit & Impact Potential because of which its on the 10th position in the list.
Wrapping up
This is not the final release of OWASP Top 10 2021 List, we believe, the final release will have a considerable amount of changes. To know more about the methodology & process OWASP uses to determine the list of Top 10 vulnerabilities you can refer this official link from OWASP itself – OWASP Top 10.