As a result, web app attacks are the fastest-growing attack vector according to a recent data breach investigations report. The OWASP Top 10 is a broad consensus about the most critical security risks to web applications. The Open Web Application Security Project (OWASP) is a nonprofit foundation that works to improve the security of software. OWASP maintains a variety of projects, including the Top 10 web application security risks standard awareness document for developers and security practitioners. Use trusted repositories and apply adequate segregation and access control to the CI/CD pipeline. Finally, determine countermeasures and remediation through deep vulnerability analysis.
At a high level, we plan to perform a level of data normalization; however, we will keep a version of the raw data contributed for future analysis. We will analyze the CWE distribution of the datasets and potentially reclassify some CWEs to consolidate them into larger buckets. We will carefully document all normalization actions taken so it is clear what has been done. Passwords are stored inside the database unsalted or as simple and weak hashes.
OWASP Top 10: Server Side Request Forger
This vulnerability comes into play when web apps implement authentication/session management techniques poorly. This is because it gives attackers access to accounts that they otherwise shouldn’t be authorized to access. Once developers know how to build a secure thing, they need to understand how to do so in concert with others. The broader picture of this is the maturity level of the team performing all the security aspects of the greater SSDLC – and when we say SSDLC at OWASP, we mean OWASP SAMM.
The more information provided the more accurate our analysis can be. At a bare minimum, we need the time period, total number of applications tested in the dataset, and the list of CWEs and counts of how many applications contained that CWE. If at all possible, please provide the additional metadata, because that will greatly help us gain more insights into the current state of testing and vulnerabilities. To collect the most comprehensive dataset related to identified application vulnerabilities to-date to enable analysis for the Top 10 and other future research as well. This data should come from a variety of sources; security vendors and consultancies, bug bounties, along with company/organizational contributions.
Broken access control
Cryptographic failures are when data is transmitted in plain text, uses outdated or insecure cryptographic algorithms, or is protected by default or weak cryptographic keys. For these, it’s important to turn off auto-completing forms, encrypt data both in transit and at rest with up-to-date OWASP Top 10 Lessons encryption techniques, and disable caching on data collection forms. This new risk category focuses on making assumptions related to software updates, critical data, and CI/CD pipelines without verifying integrity. The SolarWinds supply-chain attack is one of the most damaging we’ve seen.
- An insecure deployment pipeline can introduce the potential for unauthorized access, malicious code,
or system compromise. - We need to always confirm the users’ identity, authentication, and session management.
- As software becomes more configurable, there is more that needs to be done to ensure it is configured properly and securely.
- The recent Log4j2 vulnerability is perhaps the most serious risk in this category to date.
- Application vulnerabilities are an inevitable byproduct of modern software development, but the OWASP Top 10 provides important lessons for mitigating application security risks.
- To ensure that your components are safe you should check vulnerability databases regularly and apply security patches promptly.