What is the Open Web Application Security Project (OWASP) Top 10 Risk List for Software Apps?
Building software products is inherently risky. Regardless of cloud providers and security vendors you might work with, the Web, as we know it, is a high-risk environment for software developers and applications.
Cybercrime is on the rise. Cybercriminals, either in organized gangs, professional criminal hackers (sometimes known as Hacking as a Service), and even unhappy employees or contractors will always find a way to weaken an organization's security.
Since the pandemic, cybercrime has been getting worse. Remote work, with all its benefits, opens up more avenues for cybercriminals to hack and scam their way into internal systems and software applications.
The Open Web Application Security Project® (OWASP) is a Foundation designed to change this, one application at a time. OWASP teaches developers, software engineers, IT leaders, software startup CEOs and CTOs, corporate IT teams, and anyone in this sector how to develop more secure software.
What Is OWASP?
OWASP Meaning
The Open Web Application Security Project® (OWASP) is a Foundation that aims to make the Internet safe using education, training and conferences, over 250 local chapters worldwide, and open-source tools to improve the security of software applications, and application development.
OWASP has tens of thousands of members worldwide, many of whom are actively developing software applications. There are also dozens of cothrporate sponsors in the technology sector, such as Salesforce and Bloomberg. OWASP has been around since 2001 and officially became a non-profit foundation in 2004.
The OWASP's mission is to "enable developers to write better software, and security professionals to make the world's software more secure." Its goal is "no more insecure software", and they're continuing to focus educational and open-source efforts to achieve that.
Now let's take a closer look at the OWASP's list of the top 10 security risks software applications face.
The OWASP Top 10 Security Risks
OWASP Standards
According to the OWASP website, "Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications."
"Companies should adopt this document and start the process of ensuring that their web applications minimize these risks. Using the OWASP Top 10 is perhaps the most effective first step towards changing the software development culture within your organization into one that produces more secure code":
-
Broken Access Control
Broken access control is the most common security weakness among software applications, based on the OWASP's survey and testing of over 381,000 software products.
When access control is too weak, it allows for cybercriminals and hackers to get inside software applications: "Failures typically lead to unauthorized information disclosure, modification, or destruction of all data or performing a business function outside the user's limits."
This is one of the main causes of data breaches and data theft, sometimes costing companies millions in damages and lost revenue. It all starts with access control. Fortunately, there are dozens of ways software firms can prevent an access control security failure. It's something IT teams need to test for on a regular basis, especially when any product updates have been implemented or when third-party applications are accessing your software through APIs and other channels.
-
Cryptographic Failures
Cryptographic failure is the second most prominent software security failing, often seen as a broad symptom of wide-ranging weaknesses, rather than a root cause.
To prevent these sorts of security failures, OWASP recommends assessing the security needs of "data in transit and at rest."
There are numerous ways to mitigate the risk of cryptographic failures, such as:
- Not sending data over the Internet in a clear text, and therefore, easily readable format
- Reviewing old code and any outdated or weak cryptographic algorithms or protocols still in use
- Assessing whether a key management or rotation protocol is in place
- Checking the enforcement of data keys and cryptographic algorithms and security systems (e.g. HTTP, SMTP, FTP, and TLS upgrades such as STARTTLS)
- Making sure that cryptographic protections align with the relevant data protection laws (e.g. GDPR, HIPAA, PCI DSS, etc.)
- Ensuring the validity of the server certification and trust chain
-
Injection
Applications are vulnerable to attack when cybercriminals can "inject" viruses and data-gathering code and tools into software.
OWASP says that "Some of the more common injections are SQL, NoSQL, OS command, Object Relational Mapping (ORM), LDAP, and Expression Language (EL) or Object Graph Navigation Library (OGNL) injection."
OWASP recommends reviewing source code, automated testing of every parameter, and "static (SAST), dynamic (DAST), and interactive (IAST) application security testing tools into the CI/CD pipeline", to identify and reduce the risk of injections.
-
Insecure Design
Insecure design is a new top 10 security risk. OWASP recommends "more use of threat modeling, secure design patterns, and reference architectures."
OWASP sees this as a serious failing among so many software companies. The report continues: "One of the factors that contribute to insecure design is the lack of business risk profiling inherent in the software or system being developed, and thus the failure to determine what level of security design is required."
Secure design starts with a continuous assessment of potential software architecture and source code security risks in the early days of product development. Threat modeling should be built into design and development considerations, right from the start.
-
Security Misconfiguration
Misconfigurations are more common among software applications, especially with the growing prevalence of highly configurable software.
One of the most common causes of this is software "missing appropriate security hardening across any part of the application stack or improperly configured permissions on cloud services."
OWASP recommends implementing a "repeatable hardening process", with Development, QA, and production environments configured the same way, to prevent misconfigurations.
-
Vulnerable and Outdated Components
Outdated components and software features are vulnerable to cyberattacks. Software companies need to regularly review every component within the tech stack (client-side and server-side). It's also helpful to stay on security bulletins for every component within your tech stack, so that you can be alerted quickly to any new vulnerabilities.
In addition, it's important to "fix or upgrade the underlying platform, frameworks, and dependencies in a risk-based, timely fashion." Otherwise, you risk leaving the software vulnerable to security weaknesses for weeks or months before change control fixes are made.
-
Identification and Authentication Failures
Even now, identification and authentication failures are common among software applications.
Too many software products are still vulnerable to:
- Brute force attacks
- Credential stuffing (an automated form of attack)
- Weak or well-known passwords (e.g. "Password1")
- Weak and ineffective password recovery processes
Making sure passwords are stronger and using two-factor authentication are some of the most effective ways to prevent identification and authentication failures.
-
Software and Data Integrity Failures
Software that uses plugins, libraries, modules from third parties, and Content Delivery Networks (CDNs) that update automatically — without any integrity validation — are exposing users and the company to countless serious security risks.
As OWASP says: "An insecure CI/CD pipeline can introduce the potential for unauthorized access, malicious code, or system compromise."
Vetting sources and libraries and using digital signatures to verify the validity and security of any third-party code or plugin is essential to safeguard your application. Also, using software security supply chain tools (such as OWASP Dependency Check or OWASP CycloneDX) is an effective way to verify that components don't contain vulnerabilities or known weaknesses.
-
Security Logging and Monitoring Failures
When software companies don't monitor and respond to active breaches, they leave themselves and users vulnerable.
Developers need to implement a range of measures so that it's easy to automatically detect suspicious logins, too many failed login attempts, and cybercriminals using the login system to inject malicious code into an application.
-
Server-Side Request Forgery (SSRF)
OWASP says that "SSRF flaws occur whenever a web application is fetching a remote resource without validating the user-supplied URL. It allows an attacker to coerce the application to send a crafted request to an unexpected destination, even when protected by a firewall, VPN, or another type of network Access Control List (ACL)."
Numerous safeguards can be implemented within the network and application layers. As with every security weakness listed in this article, you can defend against this with the right approach to security and risk mitigation.
For More Information on OWASP
Now more than ever, software security is absolutely essential. Every organization uses dozens, in some cases, hundreds of different software applications, and every single one of them could cause security breaches, data theft, and other serious problems.
As an IT leader or CIO, you need to know the software in your organization's tech stack is safe and secure. Giva takes security very seriously. Take a closer look at Giva's certifications of compliance and security, and proactive steps we take to safeguard our software, clients, and customer data.