As you may already know, the OWASP Top 10 is an awareness document that helps developers learn about common software security issues and the corresponding remediations. Many compliance standards recommend or require that organizations familiarize their developers with the OWASP Top 10. On September 24, the OWASP Foundation formally published the latest version of the Top 10, and it's broader and more comprehensive than any previous version. Let’s look at the changes to help you plan for the impact this will have for you and your team in the coming year.
A tremendous amount of work has gone into creating the new list for 2021. Vulnerability data from 500,000 applications was submitted by various organizations, and an industry survey of application security professionals was used to determine the final list of categories. The new categories added to the list have expanded the scope to include more Common Weakness Enumerations (CWEs) than any previous version of the list.
The new list focuses on the total number of applications found to be vulnerable to a particular CWE in a category rather than the total frequency of occurrences of a CWE in all the sample applications. By focusing on the number of applications affected instead of total frequency count , noisy vulnerabilities that are easy to test for, like Cross-Site Scripting received less weight this year. This metric, along with the number of CWEs in a category, automated testing coverage, CVSS exploit and impact scores, and total CVEs mapped to the CWEs were used to determine which categories topped the list. A much longer list could be created but these categories isolate the root causes of the biggest issues that application security programs need to address as a baseline.
The 2021 list has a new focus on vulnerability categories rather than individual vulnerabilities.
One of the three new categories on the list is Insecure Design. The addition of Insecure Design to the list will have a broad impact on application security programs that adopt the list as a minimum basis for their application security program. The new category requires organizations to consider security before code is written using best practices like threat modeling and secure application architectures. Fixing Insecure Design issues could be very expensive after software is written and deployed, so this category's benefit will probably take many years to realize for most organizations.
Another new category is Software and Data Integrity Failures, which is another broad topic that maps to a few common CWEs like: CWE-829: Inclusion of Functionality from Untrusted Control Sphere, CWE-494: Download of Code Without Integrity Check, and CWE-502: Deserialization of Untrusted Data. These are the types of vulnerabilities that led to the Solar Winds attack, which distributed a malicious update to more than 18,000 organizations.
The final new category on the list is Server-Side Request Forgery. This item doesn’t follow the trend of category over individual vulnerability, as it is a single CWE (CWE-918). This item was added to the list based on the results from the Top 10 community survey, rather than from the data of vulnerabilities found in the 500,000 sample applications. This vulnerability is likely to be consolidated into another category in a future release of the list.
Previous specific vulnerabilities like Cross-Site Scripting and XML External Entity Injection have been consolidated with related categories in the new list. For some, consolidating Cross-Site Scripting with other Injection vulnerabilities makes perfect sense and is a welcome change. This will allow organizations to focus on application architecture changes that prevent all types of injection. For others, it consolidates too many detailed injection defense topics into a single category. Cross-site Scripting is still the most prevalent type of vulnerability by total exploitable occurrences according to HackerOne, and the defenses are complex, detailed and varied. Combining Cross-site Scripting with SQL, noSQL, and Command Injection might lead organizations to underestimate the amount of work they will need to do to implement the required changes to defend against vulnerabilities in this category.
Overall the changes have been well received by the application security community and the process to come to the list was well run and included more data and community involvement than any previous version of the list. The OWASP Top 10 is often used as a bare-minimum requirement for starting an application security effort within an organization, and now with this new list that bare-minimum will have a larger scope leading to better application security outcomes.
The application security challenge isn’t going away, but this list will help focus application security on meeting the baseline requirements. The best way to address the entire scope of the application security issues highlighted by this list is to train your development team, and to ensure that your training plan, KPIs, and expectations of developers reflect the growth in topics. The development team can have an impact early in the software development life cycle by threat modeling, making secure architecture decisions, choosing good libraries and frameworks, and creating paved path approaches to avoid common secure coding mistakes.
We have trained tens of thousands of developers on secure coding best practices and application security techniques like threat modeling and DevSecOps. The training we offer allows developers to find, exploit, and remediate common vulnerabilities that are the basis for the OWASP Top 10. We will soon release a dedicated training plan that focuses on the 2021 OWASP Top 10 using our hands-on training approach.