Security Expert Re: New OWASP Top 10 List for Application Security Risks

In its first update since 2017, the OWASP Top 10 Web Application Security Risks 2021 has been published for peer review. 

Subscribe
Notify of
guest
1 Expert Comment
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
Jayant Shukla
Jayant Shukla , CTO and co-founder
InfoSec Expert
September 15, 2021 2:20 pm

<p>The Open Web Application Security Project (OWASP) has released its draft Top 10 Web Application Security Risks 2021 list with a number of changes from the 2017 list (the last time the list was updated). Once again, instead of old risks going away, OWASP has consolidated existing risks into several categories and new risks have been added, reflecting the increased threats facing web applications.</p>
<p>For the 2021 list, OWASP added three new categories: ‘Insecure Design’, ‘Software and Data Integrity Failures’, and a group for ‘Server-Side Request Forgery (SSRF)’ attacks. Insecure design relates to specific design flaws, and software and data integrity failures refers to making assumptions related to software updates, critical data, and CI/CD pipelines without verifying integrity. One of the reasons SSRF and authentication issues are becoming more severe is because of the rapid increase in the use of microservices in building applications. These new risk categories emphasize the need to shift left and improve pre-production testing.</p>
<p>Many of these risks are not new, so why do organizations fail to find these problems before releasing code to production, or fail to protect these vulnerabilities against attack in production?</p>
<p>Unfortunately, these problems are often hard to find during testing, and sometimes they arise and are only a problem when different application modules interact, making them even harder to detect. In fact, the National Institute of Standards and Technologies (NIST) has recognized these shortcomings, and last year updated their SP800-53 application security framework to include RASP (Runtime Application Self Protection) and IAST (Interactive Application Security Testing) to better protect against these critical software weaknesses. It’s time the software development industry got on board and adopted these more effective technologies.</p>

Last edited 1 year ago by Jayant Shukla
1
0
Would love your thoughts, please comment.x
()
x