OWASP Top 10 2021: Web

Application Security Risks

The Open Worldwide Application Security Project (OWASP) is a
nonprofit foundation dedicated to improving software security.
Their Top 10 list provides rankings of the most critical web
application security risks, offering developers and security
professionals insight into prevalent vulnerabilities so they can
incorporate these findings into their security practices.
What is the OWASP Top 10?
Industry Standard Risk Assessment Practical Guidance
The OWASP Top 10 provides Risks are ranked according to The report offers remediation
rankings of the most critical web the frequency of discovered guidance for each vulnerability,
application security risks, based security defects, the severity of helping developers fold these
on consensus among security uncovered vulnerabilities, and findings into their own security
experts worldwide. the magnitude of their potential practices to minimize known
impacts. risks.
Why the OWASP Top 10 Matters
1 Established Authority
The OWASP has maintained its Top 10 list since 2003, updating it every two
or three years in accordance with advancements in the AppSec market.

2 Industry Benchmark
The list serves as a checklist and internal web application development
standard for many of the world's largest organizations.

3 Compliance Indicator
Auditors often view an organization's failure to address the OWASP Top 10
as an indication that it may be falling short on other compliance standards.

4 Best Practices Integration

Integrating the Top 10 into the software development life cycle
demonstrates an organization's commitment to industry best practices for
secure development.
What's New in the 2021 List?
1 Three New Categories 2 Four Naming Changes
The 2021 list introduces Four existing categories
three entirely new underwent changes to
categories of their naming and scoping
vulnerabilities that to better reflect the
weren't present in nature of the
previous versions. vulnerabilities.

3 Category Consolidation
Some previously separate categories have been
consolidated to provide a more cohesive understanding of
related vulnerabilities.
OWASP Top 10 vs. OWASP API Top 10

OWASP Top 10 OWASP API Top 10 Key Distinctions

Focuses on general web application Specifically addresses security risks While overlap exists, each addresses
security vulnerabilities affecting unique to API implementations. distinct security concerns.
traditional web apps. • •
First released in 2019, newer initiative API list emphasizes broken object
• Created in 2003, updated every 2-3 years • authorization
API-specific threat landscape
• Broader focus on full-stack applications • • Different risk priorities
Focuses on data exposure and
• Includes server and client-side authorization flaws • Both provide practical mitigation
vulnerabilities strategies
But first, lets go thru the OWASP Top 10

1. Broken Access Control

Definition
A weakness that allows an attacker to gain unauthorized
access to user accounts, functioning as either a user or
administrator in the system.

Example
An application allows a primary key to be changed, and
when this key is changed to another user's record, that
user's account can be viewed or modified.

Solution
Interactive application security testing (IAST) solutions can
detect cross-site request forgery or insecure storage of
sensitive data, while penetration testing can serve as a
manual supplement.
2. Cryptographic Failures
Example
A financial institution fails to
adequately protect sensitive data,

Definition 2 becoming an easy target for credit

card fraud and identity theft.
Previously known as sensitive
data exposure, this vulnerability 1 Solution
occurs when important stored or
Tools like Seeker can scan for
transmitted data is compromised
inadequate encryption strength
due to inadequate encryption.
and weak cryptographic keys,
3 while Black Duck can surface
cryptographic methods used in
open source software.
3. Injection
Definition
A code injection occurs when invalid data is sent by an
attacker into a web application to make it do something it
wasn't designed to do. Cross-site scripting is now considered
part of this category.

Example
An application uses untrusted data when constructing a
vulnerable SQL call, allowing attackers to manipulate the
database.

Solution
Including SAST and IAST tools in CI/CD pipelines helps
identify injection flaws both at the static code level and
dynamically during application runtime testing.
4. Insecure Design

New Category Example Solution

Insecure design is a new category for A movie theater chain allows group IAST tools can detect vulnerabilities
2021 that focuses on risks related to booking discounts with a deposit for and expose API and service calls in
design flaws, emphasizing that threat large groups. Attackers could exploit complex applications, providing visual
modeling and secure design patterns this by booking hundreds of seats maps of data flow to identify design
alone are not sufficient. across various theaters, causing weaknesses.
significant financial loss.
5. Security Misconfiguration
Highest Risk
1 Default configurations left unchanged

High Risk
2 Unnecessary features enabled

Medium Risk
3 Improper error handling

Lower Risk
4 Outdated security settings

Security misconfigurations are design or configuration weaknesses that result from configuration errors or shortcomings. For example, a
default account with its original password still enabled makes the system vulnerable to exploit. Solutions like Coverity SAST can identify
information exposure through error messages, while dynamic tools detect information disclosure during runtime testing.
6. Vulnerable and Outdated Components
Component Identification
1 Know what you're using

Vulnerability Assessment
2 Check for known issues

Regular Updates
3 Keep components current

Dependency Management
4 Monitor all dependencies

This category relates to components that pose both known and potential security risks. Due to the volume of components used in
development, teams might not understand all components in their application, and some might be out-of-date and vulnerable to attack.
Software composition analysis tools like Black Duck can identify outdated and insecure components, working alongside IAST to provide
insight into how vulnerable components are actually being used.
7. Identification and Authentication Failures
Definition Example Solution

Previously known as broken A web application allows the use of Multifactor authentication can help
authentication, this vulnerability weak or easy-to-guess passwords reduce the risk of compromised
occurs when functions related to (i.e., "password1"), making it trivial accounts. Automated static
authentication and session for attackers to gain unauthorized analysis is useful in finding
management are implemented access to user accounts. authentication flaws, while IAST
incorrectly, allowing attackers to tools can detect hardcoded
compromise passwords, keywords, credentials and improper
and sessions. authentication steps.
8. Software and Data
Integrity Failures
New Category Example
This is a new category for 2021 An application deserializes
that focuses on software attacker-supplied hostile
updates, critical data, and CI/CD objects, opening itself to
pipelines used without verifying vulnerability and potentially
integrity. Insecure allowing remote code execution
deserialization is now included in the system.
in this entry.

Solution
Application security tools help detect deserialization flaws, and
penetration testing can validate the problem. IAST tools can check for
unsafe deserialization and help detect insecure redirects or token
tampering.
9. Security Logging and
Monitoring Failures
1 Definition
Formerly known as insufficient logging and monitoring, this entry has
been expanded to include more types of failures. Proper logging and
monitoring are essential for detecting and responding to security
incidents.

2 Example
Events that can be audited, like logins, failed logins, and other
important activities, are not logged, leaving a site vulnerable to more
severe compromising activities.

3 Solution
After performing penetration testing, developers can study test logs to
identify possible shortcomings. SAST and IAST tools can help identify
unlogged security exceptions.
10. Server-Side Request Forgery

New Threat Increasing Severity Detection Solutions

A new category this year, SSRF The severity and incidence of SSRF Modern AST tools can track,
occurs when a web application attacks are increasing due to cloud monitor, and detect SSRF without
fetches a remote resource without services and the increased additional scanning. Advanced
validating the user-supplied URL, complexity of architectures, making instrumentation and agent-based
allowing attackers to make the this a critical vulnerability to technology can identify potential
application send crafted requests to address. exploits from SSRF attacks.
unexpected destinations.
How Application Security Tools Help
DAST Tools IAST Tools
Dynamic Application Security Interactive Application
SAST Tools Testing tools test running Security Testing combines
applications to find static and dynamic SCA Tools
Static Application Security
vulnerabilities that might only approaches, providing real-
Testing tools analyze source Software Composition Analysis
appear during execution. time feedback during testing
code to identify vulnerabilities tools identify and track open
phases.
before deployment, helping source components, helping
address issues early in the detect vulnerable or outdated
development cycle. dependencies.

2 3

1 4
The Challenge of Multiple
Security Tools
Tool Proliferation
Most businesses use multiple application security tools to help
check off OWASP compliance requirements, creating a
complex security landscape.

Integration Challenges
Organizations face the challenge of aggregating, correlating,
and normalizing different findings from various AST tools,
making it difficult to get a comprehensive view.

Efficiency Concerns
Managing multiple tools can lead to decreased efficiency and
productivity as teams struggle to coordinate findings and
remediation efforts.