Access control vulnerabilities and misconfigurations occur more often than any other security weakness and took the No. 1 spot on a top 10 list of Web application security risks, according to a draft version of the list published by the Open Web Application Security Project (OWASP) this week.
The list, which is updated every three or four years using data analysis, surveys, and public comment, contained a number of surprises. Cross-Site Scripting (XSS), which accounts for about one in every five disclosed vulnerabilities, disappeared from the list, subsumed by the expanded category of Injection flaws. Three new categories were also added, including Insecure Design, which debuts in the No. 4 spot on the list.
While the ranking roughly corresponds to the frequency with which application security professionals encounter the issues, companies should aim to eliminate each of the 10 categories of flaws — and that is just a starting point, says Jonathan Knudsen, senior security strategist with Synopsys Software Integrity Group.
"The only way to reduce application security risk is by making security an integral part of every phase of software development, from design through to implementation, testing, release, and maintenance," he says. "Eliminating flaws from the OWASP Top 10 categories is a reasonable baseline goal, but for the most effective risk reduction, you should define and execute your own application security policies based on your specific applications and organizational goals."
The OWASP Top 10 list is created by analyzing contributed data from tests of more than 500,000 applications and an industry survey. The contributed data essentially looks at past trends, while the industry survey relies on the expertise of application security professionals to forecast future trends.
Previous versions of the OWASP Top 10 limited responses to about 30 classes of weaknesses as defined by the Common Weakness Enumeration (CWE) standard. The most recent survey used open-ended questions, resulting in a dataset representing nearly 400 CWEs. Yet the dataset also represents only security issues that can be detected using automated tests, which is why two of the Top 10 spots are voted on by the community, according to a OWASP blog post.
"Talk to a seasoned AppSec professional, and they will tell you about stuff they find and trends they see that aren't yet in the data — [i]t takes time for people to develop testing methodologies for certain vulnerability types and then more time for those tests to be automated and run against a large population of applications," the blog post stated. "Everything we find is looking back in the past and might be missing trends from the last year, which are not present in the data."
The top three application security risks are now broken access controls, cryptographic failures, and injection flaws (that category now includes XSS). While broken access controls and injection issues are the most commonly encountered issues in application testing, cryptographic failures are often missed and can lead to significant breaches.
In the 2017 OWASP Top 10 list, Injection flaws took the top slot, while Sensitive Data Exposure — now included as a variation of Cryptographic Failures — took the third position. The category of Broken Authentication Mechanisms ranked No. 2 on the previous list; now it comes in at No. 7, classified as Identification and Authentication Failures.
Some of the changes are predictable. In one proposal published in January, API security firm Wallarm analyzed the current body of security weaknesses and statistics on more than 2 million vulnerability disclosures and created a classification mapping that minimized overlap between categories.
The company correctly predicted the inclusion of Server-Side Request Forgery (SSRF) into the 2021 OWASP Top 10 list. While SSRF has only appeared in 912 bulletins in the past three years, that is more frequent than deserialization — No. 6 on the 2017 OWASP list — and about as much as XML External Entities (XXE), which was No. 4 on the 2017 list, the company stated in a blog post. Both of the previous risk categories have been combined with existing or new categories — XXE is now part of Security Misconfiguration, and Insecure Deserialization is now part of a larger grouping, Software and Data Integrity Failures.
The company also predicted the merging of those two categories. The firm's third proposal — introducing an overall risk score — has not been adopted. One surprise is the merging of XSS into the larger category of Injection, since XSS on its own accounts for 20% of all bulletins, the blog post stated.
"It’s almost 10x more than all the CVEs issued in the last three years," wrote Wallarm CEO Ivan Novikov, noting that the vulnerability is often not reported and so often does not have a Common Vulnerability Scoring System (CVSS) score. "That fact, however, doesn’t stop XSS from hitting the Top 3 in a chart."
Some of the risks are difficult to detect using static analysis, and so the Top 10 should not be the last word on what issues companies should focus, Jayant Shukla, CTO and co-founder of K2 Cyber Security, said in a statement.
"Unfortunately, these problems are often hard to find during testing," he said, "and sometimes they arise and are only a problem when different application modules interact, making them even harder to detect."