<p>The Open Web Application Security Project (OWASP) has released its draft Top 10 Web Application Security Risks 2021 list with a number of changes from the 2017 list (the last time the list was updated). Once again, instead of old risks going away, OWASP has consolidated existing risks into several categories and new risks have been added, reflecting the increased threats facing web applications.</p>
<p>For the 2021 list, OWASP added three new categories: ‘Insecure Design’, ‘Software and Data Integrity Failures’, and a group for ‘Server-Side Request Forgery (SSRF)’ attacks. Insecure design relates to specific design flaws, and software and data integrity failures refers to making assumptions related to software updates, critical data, and CI/CD pipelines without verifying integrity. One of the reasons SSRF and authentication issues are becoming more severe is because of the rapid increase in the use of microservices in building applications. These new risk categories emphasize the need to shift left and improve pre-production testing.</p>
<p>Many of these risks are not new, so why do organizations fail to find these problems before releasing code to production, or fail to protect these vulnerabilities against attack in production?</p>
<p>Unfortunately, these problems are often hard to find during testing, and sometimes they arise and are only a problem when different application modules interact, making them even harder to detect. In fact, the National Institute of Standards and Technologies (NIST) has recognized these shortcomings, and last year updated their SP800-53 application security framework to include RASP (Runtime Application Self Protection) and IAST (Interactive Application Security Testing) to better protect against these critical software weaknesses. It’s time the software development industry got on board and adopted these more effective technologies.</p>
<p>The Open Web Application Security Project (OWASP) has released its draft Top 10 Web Application Security Risks 2021 list with a number of changes from the 2017 list (the last time the list was updated). Once again, instead of old risks going away, OWASP has consolidated existing risks into several categories and new risks have been added, reflecting the increased threats facing web applications.</p>
<p>For the 2021 list, OWASP added three new categories: ‘Insecure Design’, ‘Software and Data Integrity Failures’, and a group for ‘Server-Side Request Forgery (SSRF)’ attacks. Insecure design relates to specific design flaws, and software and data integrity failures refers to making assumptions related to software updates, critical data, and CI/CD pipelines without verifying integrity. One of the reasons SSRF and authentication issues are becoming more severe is because of the rapid increase in the use of microservices in building applications. These new risk categories emphasize the need to shift left and improve pre-production testing.</p>
<p>Many of these risks are not new, so why do organizations fail to find these problems before releasing code to production, or fail to protect these vulnerabilities against attack in production?</p>
<p>Unfortunately, these problems are often hard to find during testing, and sometimes they arise and are only a problem when different application modules interact, making them even harder to detect. In fact, the National Institute of Standards and Technologies (NIST) has recognized these shortcomings, and last year updated their SP800-53 application security framework to include RASP (Runtime Application Self Protection) and IAST (Interactive Application Security Testing) to better protect against these critical software weaknesses. It’s time the software development industry got on board and adopted these more effective technologies.</p>