OWASP Risk Ranking Changes Reflect Transforming and Dynamic Nature of Security

2021 saw a major revamp of the OWASP top 10 most critical and severe application security risks.

The first article in this series examined the new methodology that OWASP used to derive its ranking. The Second looked at the three new categories they added.

This article highlights the changes in the relative ranking of each application security risk and what they mean to you. 

Broken Access Control: Rises to Number One App Security Risk

Previously number five on the OWASP list, broken access control has risen to the top spot. Security teams seem to be getting better at making sure they know who is accessing apps, but there is plenty of room for improvement in controlling what they can do with them. Yet, both are equally important!

OWASP reported that 94% of apps were tested for broken access control, with 3.8% having one or more flaws. Indeed, there were a staggering 318,000 occurrences of broken access control vulnerabilities in the data set.

Access control is critical. Yet, authentication is often put in place with no controls over the action a user, process, or device can carry out. This has to change, as failure to ensure users, processes, and devices cannot act outside their permissions leads to data security issues, data loss, modification, and breaches.

Some actions to consider:

  • Least privilege access should be your first principle. Least privilege access is the principle of restricting access rights for every user, APIs, and process to the absolute bare minimum of resources required to perform their routine and legitimate activities.
  • Don’t forget to do a thorough audit of the current access policies of your existing applications. Maintain the least privilege principle – give no more rights to anyone than necessary –  deny by default and enforce it!
  • When access control failures occur, log them. Persistent failures could indicate an attack, and you should alert admins immediately – and block failing accounts.
  • When you grant access, use a short lifespan on any session tokens used. This may minimize the window of opportunity an attacker has to compromise your applications. When a session is over, do not allow any tokens to be reused. Invalidate them immediately.
  • Also, to mitigate the effect of automated threats, you should rate limit API access.

Identification and Authentication Failures: Still a Major Challenge

Under its old name of Broken Authentication, this category held the number 2 slot in 2017, but In its 2021 update, OWASP ranked it 7th. Finally, a welcome piece of good news!

However, make no mistake –  these types of attacks remain extremely dangerous for a business. If someone can bypass or fool the authentication system, they have carte blanche to do pretty much anything they want and wreak a lot of havoc. To mitigate their impact, ensure that passwords are long, strong, and frequently changed, and implement multi-factor authentication.

While ranked lower than they were, broken authentication attacks remain a significant challenge. Yet, the increased availability of standardized authentication frameworks and their adoption by businesses make them easier to manage.

Injection: Still a Top Three Threat After Losing Top Spot

In 2021, injection attacks fell from the top spot it long occupied on the OWASP Top 10 List, ranking third among most critical threats.

However, let’s not get overly excited. Injection attacks have not gone away and remain a genuine threat to businesses that need to be mitigated. In its report, OWASP stated that 94% of apps were tested for some, or all, of the 33 CWEs associated with injection vulnerabilities and that there were 274,000 flaws found, which equated to an average incidence rate of 3% – Not good! Read more:https://bit.ly/3KirPhh

You can also read this: New Kiteworks Report Reveals Significant Risk Maturity Gap

Leave a Reply

Your email address will not be published. Required fields are marked *