Cyber Security

OWASP toasts 20th anniversary with revised Top 10 for 2021

OWASP celebrated its 20th anniversary last week with a 24-hour webinar that saw the organization officially launch the top 10 web security vulnerabilities for 2021.

The online conference, which took place on September 24-25, saw speakers from across the globe present on topics including privacy, infosec industry trends, and diversity in the workplace.

During a session on Friday afternoon, Andrew van der Stock, executive director at OWASP, presented the revised top 10 to event attendees.

As previously reported by The Daily Swig, this year’s top 10 contains important changes to how the non-profit categorizes today’s web app threats, which have not been refreshed since 2017.

Injection downgrade

Addressing these changes, van der Stock told the audience that while injection attacks were once thought to be the number one web security risk, this attack has been downgraded to number three.

In its place is ‘broken access control’, which has moved up from the fifth position to the number-one threat to web app security.

The ‘cryptographic failures’ category has shifted up one position to number two. This risk previously known as ‘sensitive data exposure’ but has been changed by OWASP after it determined the term described a “broad symptom rather than a root cause”.

OWASP wrote: “The renewed name focuses on failures related to cryptography as it has been implicitly before. This category often leads to sensitive data exposure or system compromise.”

Cross-site scripting (XSS) has been bundled into the now third-place ‘injection attacks’ category.


The OWASP Top 10 vulnerabilities in 2021:

  1. Broken access control
  2. Cryptographic failures
  3. Injection
  4. Insecure design
  5. Security misconfiguration
  6. Vulnerable and outdated components
  7. Identification and authentication failures
  8. Software and data integrity failures
  9. Security logging and monitoring failures
  10. Server-side request forgery

Major update

Aside from the category shake-up, there have been major updates to how the OWASP Top 10 project is displayed to users.

Firstly, the list will be available in a mobile-friendly version and a PDF poster will be released, which van der Stock told the conference will make it more accessible.

“We want to make sure its consumable in the way it hasn’t been in the past,” he explained.

The Top 10 logo has also been updated with a fresher, more modern design.

Discussing the release, Ollie Whitehouse, chief technical officer at NCC Group, told The Daily Swig: “It’s good to see OWASP is evolving the Top 10. In a world where we continue to learn about threat and vulnerability against a backdrop of rampant innovation, this natural evolution is going to be a constant.

“Some may raise an eyebrow at some of the OWASP descriptions. For example, the description of SSRF (number 10) – considering it was this class of issue that gave us the [Microsoft] Exchange vulnerabilities earlier in the year, one may argue that the industry is indicating incidence rates are not as low as OWASP believes they are.”

Whitehouse added: “Another example is Software and Data Integrity Failures (number eight) – this is quite a large bucket covering everything from deserialization through to software updates and potentially CI/CD pipelines.

Advertisement. Scroll to continue reading.

“One might expect this to be one of the quicker growing buckets over the next year as a result.”

Addressing the issues

Elsewhere during the online conference, Philippe De Ryck delivered a talk that asked: is AppSec too hard?

Speaking to delegates, De Ryck, founder of Pragmatic Web Security, discussed whether the ever-expanding checklist of best security practices is, in fact, making it harder for individuals to keep themselves safe online.

“I would love to be in a world where I can just tell them [people], ‘Use this and this, and this and this and you’re done’,” he said. “We’re not there yet, but I’m really hoping we can get there in the future.”

Delivering the closing remarks, the Electronic Frontier Foundation’s Eva Galperin asked: who deserves cybersecurity?

Galperin, director of cybersecurity at the foundation, argued that security should be available and accessible to all people regardless of income or position, and that there needs to be less of a focus on making tools for money.

“Cybersecurity is often focused on protecting people and organizations with money,” she told conference attendees.

“For the same reason why Jesse James robbed banks – it’s where the money is.”

Source: https://portswigger.net/daily-swig/owasp-toasts-20th-anniversary-with-revised-top-10-for-2021

Click to comment

You May Also Like

Business News

Cummins Inc. has approved its high-horsepower diesel engines across all ratings for use with unblended paraffinic fuels (EN15940), often referred to as renewable diesel,...

Business News

PT BAUER Pratama Indonesia, the Indonesian subsidiary of BAUER Spezialtiefbau GmbH, was commissioned to manufacture the retaining walls for the basement in Kota Station...

Business News

The European Anti-Fraud Office (OLAF) has put forth a recommendation to halt the €140 million renovation project for the Kostenets-Septemvri railway in Bulgaria, while...

Business News

According to an official news release, Turner Construction has officially commenced a US$100 million renovation project at Albany International Airport, located in upstate New...

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO

Exit mobile version