What is OWASP Top 10?
Security breaches and attacks have become so prevalent that only the very largest ones now make the headlines. But attacks against organizations of all sizes have never been so rife or so sophisticated, making it all the more critical that you do everything you can to protect your organization’s digital assets.
The Open Web Application Security Project (OWASP) is a non-profit organization that works towards raising awareness, improving, and managing web application security risks. Virtually all businesses and other public/private organizations in today’s digital economy maintain web applications and servers to advertise, buy, sell, inform, and serve their customers or members in countless ways. By definition, a web application is public-facing: this makes it especially vulnerable to exploits from anywhere at any time. To protect your organization against security attacks and breaches, it is imperative to manage closely the vulnerabilities in web application software interactions.
OWASP evaluates the most prevalent and critical web application vulnerabilities to produce a Top 10 list that is updated every 3-4 years. The most recent report was published in 2021. The OWASP Top 10 project uses broad industry consensus to determine the 10 most critical web application security risk categories. Well-known industry CWEs (Common Weakness Enumeration) is mapped into the Top 10 categories. The CWEs in turn draw on a larger database of CVEs (Common Vulnerabilities and Exposures) maintained in the National Vulnerability Database (NVD) under the direction of the U.S. National Institute of Standards and Technology (NIST) Cybersecurity Framework.
Understanding the OWASP Top 10 Categories
The 2021 Top 10 OWASP vulnerabilities are:
- A01: 2021-Broken Access Control: Improper enforcement of restrictions on what authenticated users are allowed to do, enables attackers to exploit access to unauthorized functionality and/or data.
- A02: 2021- Cryptographic Failures Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and personally identifiable information (PII), allowing attackers to steal or modify such data to conduct fraud, identity theft, or other crimes.
- A03:2021-Injection Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query.
- A04:2021-Insecure Design is a new category for 2021, with a focus on risks related to design flaws.
- A05:2021-Security Misconfiguration Security misconfiguration is the most commonly seen issue, including insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. A4:2017-XML External Entities (XXE) is now part of this risk category.