The Open Web Application Security Project (OWASP) is a non-profit organization focused on improving the security of web application software. OWASP uses a community input model which welcomes input and contribution from the public. The Top 10 is a guidance document that ranks, what the community believes, are the top 10 most critical security risks that web applications face. Each risk is ranked in order of frequency discovered, severity of vulnerabilities, and potential impact.
OWASP recently released an update to its top 10 web application security threats for 2021. The last update to the list was in 2017, so this is something that was long overdue. With the ever-changing landscape in web application security, for 2021 OWASP has introduced 3 new categories, changed the names of categories, and consolidated a few items. OWASP Stated this is to, “focus on the root cause over the symptom.” Below is a summary of the changes:
The 3 new categories are:
- A04:2021- Insecure Design
- A08:2021- Software & Data Integrity Failures
- A10:2021- Server-Side Request Forgery (SSRF)
To update the Top 10, OWASP utilized data from researchers for 8 of the top 10 categories, and similar to 2017, included 2 from their community survey. Often, the data is a lagging indicator for the threats the community on the front lines sees as the top threats. These are threats that may never be reflected in the data. Certain threats will take time to fine tune a testing methodology and then more time to create a way to test against those threats in an automated fashion.
There are data factors that are listed for each of the Top 10 Categories, here is what they mean:
- CWEs Mapped: The number of CWEs mapped to a category by the Top 10 team.
- Incidence Rate: Incidence rate is the percentage of applications vulnerable to that CWE from the population tested by that organization for that year.
- Weighted Exploit: The Exploit sub-score from CVSSv2 and CVSSv3 scores assigned to CVEs mapped to CWEs, normalized, and placed on a 10pt scale.
- Weighted Impact: The Impact sub-score from CVSSv2 and CVSSv3 scores assigned to CVEs mapped to CWEs, normalized, and placed on a 10pt scale.
- (Testing) Coverage: The percentage of applications tested by all organizations for a given CWE.
- Total Occurrences: Total number of applications found to have the CWEs mapped to a category.
- Total CVEs: Total number of CVEs in the NVD DB that were mapped to the CWEs mapped to a category.
If you need to assess one of your web applications against the new OWASP Top 10, nGuard’s web application penetration testing is driven by the OWASP Top 10 and all findings are issued with a correlation to the application item within the top 10. Identify your weak points using the industry standard for web application assessments today!