This post was written by Chris Romeo during his tenure at Security Journey. This article was originally appeared on at TechBeacon.com on October 11, 2021. You can access it here.
In the world of application security, the OWASP Top 10 2021 is the most famous—or infamous—of documents. Loved by most and hated by a few, this foundational document is the first thing people on most application security programs try to assimilate and conquer.
With the OWASP Top 10 2021, application security teams certainly have work to do. But if you embrace it, your app sec team will get better. Here are seven things practitioners can take action on from the new OWASP Top 10.
When the new Top 10 was released, some looked at the list and questioned the order. Is A01, "Broken Access Control," more of an issue than A10, "Server-Side Request Forgery" (SSRF)? The simple answer is not to get hung up on the order of things on the list. If you have an SSRF in your Internet-facing web application, that issue trumps everything else you’re facing.
Takeaway: The order of issues on the top 10 is not the important thing; deal with the highest-risk issues that stand in front of you.
Your primary focus must be on mitigating defined issues. Your goal is to eliminate whole classes of flaws over a period.
The OWASP Top 10 has some guidance on mitigation/prevention, but it’s not actionable. As a random example, from "Broken Access Control": “Rate limit API and controller access to minimize the harm from automated attack tooling.” Rate limiting is a good goal but a tough user story/requirement to hand to a developer.
Takeaway: Mitigate issues using organizationally specific prevention and mitigation steps.
Insecure design is the root of the other nine items on the list. A cryptographic failure started as an answer to a user story where someone said, “This crypto key size is good enough.” If a proper threat model had been performed of the new crypto feature before coding, the issue more than likely would have been discovered.
Among the available tools and technologies that could eliminate vulnerabilities, threat modeling is the only discipline that could impact every item on the Top 10 list.
Takeaway: Implement threat modeling as a solution for all 10 items on the list.
Since the list's inception, people have called the Top 10 a standard, and while the OWASP team has pushed back against that for years, it has finally accepted it and added a section called “How to use the OWASP Top 10 as a standard.” This title is a bit tongue-in-cheek, though, since the section states once again the list is an awareness document and then points to the other projects that help you form a solid program foundation.
The Application Security Verification Standard (ASVS) is pointed to as the verifiable standard and is the recommended choice for the depth you need to run a program.
The Proactive Controls, which tries to answer the question of how to fix the Top 10 issues, is now under revision to match up with the new Top 10.
Takeaway: The Top 10 is flashy, but it’s a mile wide and an inch deep. ASVS, together with Proactive Controls and the Top 10, is a mile wide and a mile deep.
Common Weakness Enumerations have been part of the Top 10 since at least 2017. This year the CWEs are more front and center, and a wider distribution of CWEs was considered in the team’s analysis. As you present the new Top 10 to your developers, take them back to the foundational CWE nature of each issue.
Takeaway: Ensure that developers have perspective on how CWEs work and how they can use them to understand and mitigate issues.
The resource lists found within the Top 10 are a hidden treasure of application security goodness. As an example, "Broken Access Control" offers pointers to Proactive Controls, ASVS, OWASP Testing Guide, and OWASP Cheat Sheets. The mappings align with specific areas in those other documents that assist the program with dealing with the issue. Following the resources can show you how to transform your products and applications on an issue-by-issue basis.
Takeaway: Go beyond the surface of each item on the list and take your teams deep into understanding, testing, and mitigating the issues.
Remember when cross-site request forgery (CSRF) first arrived on the scene? It was a challenging class of issues to explain because it had multiple moving parts. SSRF is now in the same boat. Ask 10 application security people what SSRF is and how to mitigate it and you’ll get a widely varied selection of answers and levels of understanding.
Takeaway: Given the deadly nature of a single SSRF issue, it's a good idea to invest in increasing understanding and mitigations.
While the OWASP Top 10 is seen as a “standard,” it requires more effort by you, the practitioner, to unlock its true potential. Lists of preventions and a few examples are great, but they are not a holistic approach to application security.
Use the OWASP Top 10 for what it was initially designed for: awareness. Use it to teach your team the top issues they must understand. And look to all the other OWASP resources to fill in the gaps.