The OWASP top ten 2021

What is OWASP?

OWASP (Open Web Application Security Project) is a non-profit organisation focused on improving website security. They provide open-source software development programs, project, toolkits, local chapters, conferences, articles, videos, forums, methodologies, documentation and technologies to their community.They provide all these tools and knowledge free of charge and easily accessible to anyone interested in website security. One of their most important projects is the OWASP top ten.Before OWASP, there weren’t a lot of tools or knowledge available about cyber security. With OWASP the community started to learn how to safeguard their code against vulnerabilities, strengthen software encryption and reduce the number of bugs in their code.

What is OWASP top ten?

The OWASP top ten is a document that lists the top ten most critical website security vulnerabilities. It shows the risks, impacts and countermeasures. This list is created by website security experts from around the world. The vulnerabilities are ranked according to the severity of the vulnerabilities, the frequency of the discovered security risks and the magnitude of the potential impact.OWASP recommends that all companies should incorporate the report’s findings and the OWASP recommendations into their website security processes to minimize security risks. The OWASP top ten gets updated every three to four years. The last OWASP top ten was released in 2017, they also recently released a draft of the OWASP top ten 2021.Since the last OWASP top ten some things have changed. There are three new categories. Four categories changed naming or scoping and some are combined now.The OWASP top ten 2021 vulnerabilities are:

• Broken Access Control
• Cryptographic Failures (Used to be: Sensitive Data Exposure)
• Injection
• Insecure Design (New)
• Security Misconfiguration
• Vulnerable and Outdated Components (Used to be: Using Components with Known Vulnerabilities)
• Identification and Authentication Failures (Used to be: Broken Authentication)
• Software and Data Integrity Failures (New)
• Security Logging and Monitoring Failures (Used to be: Insufficient Logging & Monitoring)
• Server-Side Request Forgery (SSRF) (New)

Every vulnerability is explained with an example and OWASP recommendations.

The top ten OWASP vulnerabilities for 2021

Cryptographic Failures

What is it:

Cryptographic Failures are compromised data that should have been protected. This is especially a problem with data that falls under privacy law.

Examples:

• Passwords
• Credit card numbers
• Medical information
• Credentials
• Social security numbers
• Personally identifiable information
• Other personal information
• Business secrets

OWASP recommendations:

• Classify data used by an application and identify which data is sensitive.
• Don’t store sensitive data unnecessarily.
• Encrypt all sensitive data at rest. Encrypt all data in transit with secure protocols. Use authenticated encryption.
• Use proper key management. Generate keys cryptographically randomly and stored in memory as byte arrays.
• Disable caching for responses that contain sensitive data.
• Apply required security controls as per data classification.
• Don’t use legacy protocols such as FTP and SMTP for sensitive data.
• Use strong adaptive and salted hashing functions with a work factor to store passwords.
• Choose initialisation vectors for the appropriate mode of operation.
• Use cryptographic randomness where appropriate, in a non-predictable way with low entropy.
• Avoid deprecated cryptographic functions and padding schemes.
• Verify the effectiveness of configuration and settings independently.

Injection

What is it:

This vulnerability happens when a web application receives invalid data from a hacker to make it do something it’s not programmed to do.

Example:

SQL injection is one of the most common injection flaws. SQL injection is caused by use of untrusted data when constructing a vulnerable SQL call.The lack of validation and sanitisation of the data used by web applications makes data untrusted. It also means that the code injection vulnerability can be present on almost any type of technology related to websites.

OWASP recommendations:

• Keep data separate from commands and queries.
• Using a safe API is the preferred option.
• Use positive or “whitelist” server-side input validation.
• Escape special characters using a specific escape syntax.
• Use LIMIT and other SQL controls within queries.

Insecure Design (New)

What is it:

Insecure design means control design that is missing or ineffective. Insecure design and insecure implementation are not the same thing. They have different root causes and remediation.

Example:

The failure to determine what level of security design is required.

OWASP recommendations:

• Implement requirements and resource management, secure design and a secure development lifecycle.
• Implement a secure development lifecycle to help establish privacy-related and security controls.
• Use a library of secure design patterns or ready to use components.
• Use threat modeling for critical authentication, business logic, access control and key flows.
• Integrate security language and controls into user stories.
• Integrate plausibility checks at each tier of your application.
• Write unit and integration tests to validate that all critical flows are resistant to the threat model. Make use-cases and misuse-cases.
• Segregate tier layers on the system and network layers. Segregate tenants robustly by design throughout all tiers.
• Limit resource consumption by user or service.

Security Misconfiguration

What is it:

The security misconfiguration vulnerability happens when an application doesn’t have a concerted, repeatable application security configuration process. It can be attacked through the act of trying as many combinations as possible.

Example:

One of the most common website security flaws is keeping the CMS default configurations.

OWASP recommendations:

• Implement secure installation processes:
• Automate a hardening process.
• Deploy another environment that is appropriately locked down.
• Remove unused frameworks and features.
• Review and update the configurations appropriate to all updates, security notes and patches.
• Review cloud storage permissions.
• Implement a segmented application architecture, with containerisation, segmentation, or cloud security groups.
• Send security directives to clients.
• Implement an automated process to verify the effectiveness of the settings and configurations in all environments.

Vulnerable and Outdated Components

What is it:

These days, even simple websites have a lot of vulnerabilities. Failing to update every piece of software of a website will introduce website security risks sooner or later.

OWASP recommendations:

• Implement a patch management process:
• Remove unused dependencies.
• Make an inventory of both server-side and client-side components and their dependencies.
• Monitor common sources about vulnerabilities.
• Only obtain components from official sources.
• Monitor for components and libraries that are unmaintained or don’t create security patches for older versions.
• Ensure an ongoing plan for triaging, monitoring, and applying configuration changes or updates for the lifetime of the application.

Identification and Authentication Failures

What is it:

A broken authentication vulnerability can be attacked using automatic or manual methods. This way, an attacker can take control over any account they want or even over the entire system.

Examples:

• Improper validation of certificate with host mismatch
• Improper authentication
• Session fixation

OWASP recommendations:

• Implement multi-factor authentication where possible.
• Don’t deploy or ship with any default credentials.
• Align password complexity length and rotation policies with evidence-based password policies.
• Use the same messages for all outcomes to ensure your registration, credential recovery, and API pathways are hardened against account enumeration attacks.

Software and Data Integrity Failures (New)

What is it:

Software and data integrity failures are vulnerabilities that relate to code and infrastructure that doesn’t protect against integrity violations.

Examples:

• When plugins, libraries, modules from repositories, untrusted sources, or content delivery networks are used in the application.
• When there is an insecure pipeline, it can introduce the potential for malicious code, system compromise, or unauthorised access.
• Updates are downloaded without sufficient integrity verification and are applied to the previously trusted application.
• …

OWASP recommendations:

• Use digital signatures or similar mechanisms.
• Ensure dependencies and libraries are consuming trusted repositories.
• Verify that components do not contain known vulnerabilities by ensuring that a software supply chain security tool is used.
• Ensure that there is a review process for configuration and code changes to minimise the chance of malicious code.
• Ensure that the pipeline has proper configuration, segregation, and access control to ensure the integrity of the code.

Security Logging and Monitoring Failures

What is it:

Security logging and monitoring failures occur when there is insufficient logging, detection and monitoring. Without sufficient logging and monitoring, breaches can’t be detected.

Examples:

• Auditable events are not logged.
• Warnings and errors generate unclear or no log messages.
• Logs of applications and APIs are not monitored.
• Logs are only stored locally.
• No appropriate alerting threshold and response escalation processes in place
• Penetration testing and scans by dynamic application security testing tools don’t trigger alerts.
• The application can’t detect active attacks in real-time.

OWASP recommendations:

• Ensure all access control, login, and server-side input validation failures can be logged with sufficient user context.
• Make sure logs are generated in a format that log management solutions can easily consume.
• Prevent attacks on the logging or monitoring systems by encoding the log data correctly.
• Prevent tampering or deletion by ensuring high-value transactions have an audit trail with integrity controls.
• Establish effective monitoring and alerting.
• Establish an incident response and recovery plan.

Server-Side Request Forgery (SSRF) (New)

What is it:

An attacker can send a crafted request with the application when a web application fetches a remote resource without validating the user-supplied URL.

OWASP recommendations:

• Reduce the impact of SSRF. Segment remote resources access functionality in separate networks.
• Enforce “deny by default” firewall policies or network access control rules. Block all but essential traffic.
• Sanitise and validate all client-supplied input data. Use a positive allow list to enforce the URL schema, port, and destination. Don’t send raw responses to clients. Disable HTTP redirections. Be aware of the URL consistency.
• Do not deploy other security relevant services on front systems.
• Use network encryption on independent systems for frontends with dedicated and manageable user groups.

Discover Jimber Web Application Isolation

The Jimber Web Application Isolation protects your corporate applications using a container. Your data is interpreted in the container and only the graphical visualisation of that data reaches the end user. Attackers can only interact with the Jimber layer, but no longer directly with the API’s of the application. This way, any danger is gone.Our Web Application Isolation meets the highest demands and guarantees website security.The Jimber Web Application Isolation mitigates lots of the OWASP top ten 2021 vulnerabilities, by not exposing the API’s directly. Some vulnerabilities can be explained in more detail.Keep in mind that Jimber Web Application Isolation will function on top of your current security measures. It can’t stop every possible vulnerability on its own. However it will strengthen any existing security measures taken and give a strong layer of extra protection.

Broken Access Control

Since application isolation is not operating within the app itself, we can't prevent broken access control. However, screen recording might show who leveraged the access control.

Cryptographic Failures

Our application isolation can't protect from sensitive data leakage. However using screen recording makes it possible to have a trail of the data that was accessed by the user.

Injection

By preventing the user from directly accessing any API's, our web app isolation will prevent most injection possibilities. It will also prevent buffer overflow attacks. Frontend protection / input checking is now security.We can't fully prevent XSS. We can however prevent XSS from accessing external resources, and thus prevent data leakage. We can also detect anomalies in data traffic. Furthermore we scan URLs for scripting.

Security Misconfiguration

By not allowing XML to be directly sent to the backend service, XXE is virtually impossible.The surface for security misconfigurations becomes much smaller, since optical security is security.

Vulnerable and Outdated Components

Lots of vulnerable and outdated components are being exploited by directly accessing API’s. This specific angle of attacking Vulnerable and Outdated components becomes impossible with Jimber Web Application Isolation.

Identification and Authentication Failures

By implementing oAuth or public/private key authentication on your SaaS application or intranet we can protect authentication with the highest possible security.

Security Logging and Monitoring Failures

On top of all logging and monitoring in your software or service, we can add video recording, logging of keyboard and mouse actions as well as detecting anomalies herein.Check out the Jimber Web Application Isolation at https://jimber.io/web-application-security/Read more about the OWASP top 10 of 2021 on their website: https://owasp.org/Top10/