The 2021 list shows how far app security has arrived and how much work remains to be done.
Chris Wysopal, security expert and CTO of Veracode, identified broken access control as a security risk in 1996. OWASP has just pushed this software security issue to the forefront of the world. 2021 update of its top 10. Despite the longevity of this risk, Wysopal describes the last list as well as at the forefront of security best practices with a focus on software supply chain monitoring at the macro (external APIs and software) and micro (libraries) levels.
“The best proof of this is that the extremely slow federal government is going to hold vendors accountable for delivering secure software,” he said.
SEE: Expert: Biden’s cybersecurity decree is a good start to protect organizations
He listed the NIST definition of critical software, establishing minimum standards for vendors and IoT, and labeling software as important elements of President Joe Biden’s recent executive order on software security.
“These changes make it easy for a software buyer to see what has been done to secure their software,” he said.
Wysopal describes the decree as a long overdue step in the right direction that will strengthen the security of federal agencies and their software supply chains.
“As the government continues to get more details on requirements, assessments and labeling, it should share this information with the private sector to ensure ALL software is up to the same standards,” he said. -he declares.
In the OWASP Top 10: 2021, Broken Access Control moved up to number one, down from fifth on the 2017 Top 10 list. In addition, there are three new categories, four categories with name and name changes. scope and some consolidation.
- Broken access control
- Cryptographic failure (formerly known as sensitive data exposure)
- Insecure design
- Incorrect security configuration
- Vulnerable and obsolete components
- Identification and authentication failures
- Software and data integrity failures
- Security logging and monitoring failures (previously insufficient logging and monitoring)
- Server-side query forgery
OWASP notes that some of the category names have changed to focus on the root cause rather than the symptom.
How to interpret the new list
Sean Wright, senior application security engineer at Immersive Labs, said the updated list shows how far appsec has come and how far the work has yet to go.
“Half of the categories on the new list have appeared in every list since 2003 in one form or another, so 18 years of technological development, experience and learning were not enough to remedy these flaws,” he said. he declared. “This means we need to change our approach to application security.”
Wright said taking a hybrid human / tech approach to addressing these vulnerabilities will improve application security and, hopefully, solve some of the most significant problems of the past two decades.
John Andrews, vice president of Global Channel at Invicti, said the new OWASP Top 10 list takes a much broader view than previous editions, sending a clear message that finding and remedying vulnerabilities is only a matter of course. ‘part of modern application security.
Andrews said new categories such as insecure design and software and data integrity failures reinforce two major industry trends: the decision to perform security testing in the early stages of development (shifting to left) and the recent emphasis on software supply chain security.
“The flip side of this new holistic approach is that, unlike the earlier editions, the Top 10 for 2021 is no longer just a vulnerability testing checklist, which may limit its usefulness as a non-standard application security standard. official but widely used, ”he said. .
Prioritize fixes for the top 10 risks
Injection issues and configuration errors can usually be fixed with a few lines of code, but flaws like Insecure Design can take days or weeks to fix, Wysopal said.
“This is why it is important to detect certain flaws at the design stage or earlier in development when they can be corrected much more easily,” he said.
Wysopal would prioritize fixing Access Control # 1, Injection # 3, and # 6 vulnerable and obsolete components, as these flaws are some of the easiest for attackers to find and exploit. .
DevOps and pipeline automation should drive the evolution of Security as Code (SaC), Compliance as Code (CaC) and Infrastructure as Code (IaC), Wysopal said , as the next appsec evolution.
“In a nutshell, anything that can be code will be code, which means changes won’t be introduced until the new code goes into production,” he said. “This move will significantly ease the burden on development teams to drive adoption of security tools, making software security second nature.
Wysopal predicts that this approach to software will remove friction from the development process, reduce costs, and improve regulatory compliance.