If you are interested in cybersecurity issues, you’ve probably seen a reference to the OWASP Top 10. But what is OWASP? The Open Worldwide Application Security Project (OWASP) is an online community founded in 2001 that has become highly influential in the realm of web application security. A non-profit group called The OWASP Foundation is the official organization behind OWASP, but it is better known for the contributions of its community members. Comprised of cybersecurity professionals, researchers, and enthusiasts, the community helps craft the OWASP Top 10, a list of the most critical web application security risks.
The OWASP Top 10 was first published in 2003 and is updated every three to four years. As the OWASP Top 10 – 2021 was the first update since 2017, you can expect to see the next version in 2024 or 2025. OWASP also publishes other interesting lists to the cybersecurity community, such as the OWASP Mobile Top 10. The OWASP Top 10 API Security Risks – 2023 is the group’s most recent release, highlighting several broken authentication OWASP discoveries. (OWASP, 2023)
Even though the main OWASP Top 10 hasn’t been updated for a couple of years, each item is still relevant today. Below is a look at the vulnerabilities detailed in the most recent OWASP Top 10 Vulnerabilities and some potential mitigation methods.
The OWASP Top 10 and Possible Mitigations
The OWASP Top 10 – 2021 follows the organization’s long-standing tradition of grouping known vulnerabilities under broad category headings. In doing so, OWASP says its list represents a consensus of the most crucial web application security risks. (OWASP, 2021) The individual vulnerabilities are called “Common Weakness Enumerations” (CMEs), and each CME is mapped to a category.
For example, under the category of Broken Access Control OWASP collected 34 CMEs. It’s important to keep the CME-category relationship in mind when discussing possible mitigations. While each mitigation listed below is general guidance for the listed category, specific vulnerabilities might be better suited to a mitigation unique to the CME. With that in mind, here are the most recent OWASP Top 10 Vulnerabilities:
1. Broken access control
Under the category of broken access control OWASP includes any vulnerabilities that fail to restrict user access properly. These weaknesses allow access to resources and actions that users are authorized for. This category rose from fifth place in 2017 to the top spot of the 2021 list of vulnerabilities (OWASP, 2017). This reflects the widespread prevalence of access control issues on the web.
Web developers can fix these vulnerabilities by implementing proper access control based on the user’s role and authorized set of permissions. Additionally, regular access control checks can be added to web code.
2. Cryptographic failures
The cryptographic failures category was known as “sensitive data exposure” on the 2017 OWASP Top 10 Vulnerabilities. Since cryptography is used to protect data resources, the new category name more accurately reflects the range of problems. Among the issues are weak SSL/TLS implementations, insecure password storage, and the use of older and compromised encryption methods.
Mitigation methods include using stronger encryption protocols and performing regular vulnerability assessments. Older encryption methods should be deprecated in favor of newer protocols.
Previously number one on the OWASP Top 10 SQL injection vulnerabilities are now categorized simply as “injection.” That’s because the category now includes cross-site scripting weaknesses, which was number seven on the 2017 OWASP Top 10 Vulnerabilities. LDAP injection, XML injection and similar attack vectors are now included in the category.
Possible mitigations include parameterized queries or prepared statements to prevent SQL injection. Input validation can also help with all forms of injection.
4. Insecure design
A new category for the OWASP Top 10 Vulnerabilities – 2021, insecure design covers any flaws in application architecture that can be exploited. Following application design best practices and implementing threat modeling can minimize design exploits.
5. Security misconfiguration
Like insurance design, security misconfiguration is a broad category. It now includes the XML external entities (XME) category from OWASP Top 10 Vulnerabilities – 2017.
Unpatched vulnerabilities, unprotected directories, the user of default configurations and unapplied patches are some of the most common security misconfigurations. Following cybersecurity best practices will mitigate nearly all misconfiguration vulnerabilities.
6. Vulnerable and outdated components
Web applications depend on third-party frameworks and libraries, as do the web servers they run on. Failure to apply security patches for these components can leave a web app vulnerable to attacks. Similarly, outdated components that their developers have abandoned can pose significant security risks.
Keep server software and components updated to mitigate these vulnerabilities. Make sure you’re aware of vulnerability announcements by setting up alerts or following component developers on social media.
7. Identification and Authentication Failures
Improper identity management and authentication systems allow malicious actors to pose as other users. Hackers who exploit these vulnerabilities gain access to sensitive data, such as financial records or intellectual property.
Multi-factor authentication within applications and proper identity and access management (IAM) practices can help mitigate vulnerabilities in this category.
8. Software and data integrity failures
Another new category for the OWASP Top 10 Vulnerabilities list, this includes weaknesses that may arise from insecure software development practices. Insurance DevOps practices and poor database administration are among the bad practices included under this heading. Following industry best practices is the best mitigation against software and data integrity failures.
9. Security logging and monitoring failures
Failure to monitor logs and respond to related alerts lead to vulnerabilities in this category. Suspicious login attempts and other potentially malicious activity goes unnoticed, leading to hackers chipping away at a web app’s security architecture. To mitigate these issues, admins should use properly configured log monitoring and analysis tools.
10. Server-side request forgery
This vulnerability, commonly known as SSRF, opens the door for bad actors to make unauthorized server requests and access sensitive resources. In the worst cases, a hacker may gain full administrative control over a web server and access all data on a system.
To mitigate SSRF attacks, developers should follow web programming best practices such as input validation and whitelisting authorized users.
Learn to Fight the OWASP Top Ten with a C|PENT Certification
Web applications are a part of our everyday lives. The convenience of accessing apps from anywhere and at any time helps streamline business processes and enables a global workforce. However, web application security is full of potential dangers.
That’s why the OWASP Top 10 Vulnerabilities list is so important. As developers and administrators become more aware of the vulnerabilities, they are more likely to secure their apps. The list provides essential context to the most critical threats and allows cybersecurity professionals to implement a defense. If you’ve wanted to break into the world of cybersecurity to fight vulnerabilities on the OWASP Top Ten, consider the Certified Penetration Testing Professional (C|PENT) program from EC-Council.
This hands-on, practical certification course doesn’t just teach you penetration testing. The C|PENT helps you build a strong career by covering key web application security concepts. You’ll learn how hackers evade defense mechanisms and exploit vulnerabilities and then apply your skills to help defend web servers and apps.
OWASP (2017). OWASP Top Ten 2017 https://owasp.org/www-project-top-ten/2017/Top_10
OWASP (2021). OWASP Top Ten, https://owasp.org/www-project-top-ten/
OWASP (2023). OWASP Top 10 APi security risks – 2023. https://owasp.org/API-Security/editions/2023/en/0x11-t10/
About the Author
Leaman Crews is a former newspaper reporter, publisher, and editor with over 25 years of professional writing experience. He is also a former IT director specializing in writing about tech in an enjoyable way.