Security Expert Re: New OWASP Top 10 List for Application Security Risks

In its first update since 2017, the OWASP Top 10 Web Application Security Risks 2021 has been published for peer review. 

Experts Comments

September 15, 2021
Jayant Shukla
CTO and co-founder
K2 Cyber Security

The Open Web Application Security Project (OWASP) has released its draft Top 10 Web Application Security Risks 2021 list with a number of changes from the 2017 list (the last time the list was updated). Once again, instead of old risks going away, OWASP has consolidated existing risks into several categories and new risks have been added, reflecting the increased threats facing web applications.

For the 2021 list, OWASP added three new categories: ‘Insecure Design’, ‘Software and Data

.....Read More

The Open Web Application Security Project (OWASP) has released its draft Top 10 Web Application Security Risks 2021 list with a number of changes from the 2017 list (the last time the list was updated). Once again, instead of old risks going away, OWASP has consolidated existing risks into several categories and new risks have been added, reflecting the increased threats facing web applications.

For the 2021 list, OWASP added three new categories: ‘Insecure Design’, ‘Software and Data Integrity Failures’, and a group for ‘Server-Side Request Forgery (SSRF)’ attacks. Insecure design relates to specific design flaws, and software and data integrity failures refers to making assumptions related to software updates, critical data, and CI/CD pipelines without verifying integrity. One of the reasons SSRF and authentication issues are becoming more severe is because of the rapid increase in the use of microservices in building applications. These new risk categories emphasize the need to shift left and improve pre-production testing.

Many of these risks are not new, so why do organizations fail to find these problems before releasing code to production, or fail to protect these vulnerabilities against attack in production?

Unfortunately, these problems are often hard to find during testing, and sometimes they arise and are only a problem when different application modules interact, making them even harder to detect. In fact, the National Institute of Standards and Technologies (NIST) has recognized these shortcomings, and last year updated their SP800-53 application security framework to include RASP (Runtime Application Self Protection) and IAST (Interactive Application Security Testing) to better protect against these critical software weaknesses. It’s time the software development industry got on board and adopted these more effective technologies.

  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.