Every security-conscious developer knows a thing or two about the principles of OWASP Top 10. The top 10 vulnerabilities in the OWASP top 10 list generally change every 4 years – some of the most known releases include 2013 OWASP Top 10, 2017 OWASP Top 10, and the vulnerability list compiled by OWASP in 2021.
The list of vulnerabilities compiled by OWASP generally change year-over-year: for example, the OWASP Top 10 edition in 2017 was wildly different in its contents from the 2013 edition. Most of that fact is because the OWASP team has completely refactored the list, revamped the methodoly, utilized a new data call process, worked with the community, re-ordered the list of risks, re-written each risk from the ground up, and added references to frameworks and languages that started to become more and more common. Some of the new issues in the 2017 list included the following:
- The XML External Entity (XXE) vulnerability which was created by following the analysis provided by source code analysis security testing tools (SAST.)
- The insecure deserialization vulnerability which permits remote code execution.
- The insufficient logging and monitoring vulnerability which is mainly used to delay breach detection.
The last two vulnerabilities in the list were derived by OWASP asking for insight from the community.
For your reference, here’s a comparison between 2013 and 2017 versions of OWASP Top 10 (the vulnerabilities in bold are new, the ones bold and underlined were submitted by the community):
2013 OWASP Top 10 | 2017 OWASP Top 10 |
Injection (not only SQL injection, but injection attacks in general) | Injection (same as with the release in 2013) |
Broken Authentication and Session Management | Broken Authentication |
Cross-site Scripting | Sensitive Data Exposure |
Insecure Direct Object Reference (IDOR) attacks | XML External Entities (XXE) |
Security Misconfiguration | Broken Access Control |
Sensitive Data Exposure | Security Misconfiguration |
Missing Function-level Access Control | Cross-site Scripting (XSS) |
Cross-site Request Forgery (CSRF) | Insecure Deserialization |
Using Components with Known Vulnerabilities | Using Components with Known Vulnerabilities |
Unvalidated Redirects and Forwards | Insufficient Logging and Monitoring |
As you can see the lists created by OWASP in 2013 and in 2017 differ quite significantly – some vulnerabilities were merged, some taken out, some created anew. Let’s now look at the differences between the 2017 and 2021 list (new vulnerabilities are outlined in bold):
2017 OWASP Top 10 | 2021 OWASP Top 10 |
Injection | Broken Access Control |
Broken Authentication | Cryptographic Failures |
Sensitive Data Exposure | Injection |
XML External Entities (XXE) | Insecure Design |
Broken Access Control | Security Misconfiguration |
Security Misconfiguration | Vulnerable and Outdated Components |
Cross-site Scripting (XSS) | Identification and Authentication Failures |
Insecure Deserialization | Software and Data Integrity Failures |
Using Components with Known Vulnerabilities | Security Logging and Monitoring Failures |
Insufficient Logging and Monitoring | Server-Side Request Forgery (SSRF) |
As you can see, there were some changes yet again which tells us that the OWASP Top 10 list is ever-evolving. Some vulnerabilities are still intact (e.g. injection), some are taken out as the security landscape continues to evolve, and some are completely new.
Developers still need to know how to fend off each one (or at least the majority) of the vulnerabiltiies listed above. Unfortunately, there are not many developers that are ready to fight each and every vulnerability in the list, which means that some vulnerabilities are bound to be left relatively untouched, and that’s okay – as long as we have decent security procedures and at least a moderately powerful Web Application Firewall (WAF), we should be good to go. And with that, we come to one of the principles of web application security – Defense in Depth.
Employing defense in depth is a security strategy that uses multiple security measures at once to protect a system (that might mean having a WAF and some DDoS protection, analyzing data integrity and working with antivirus or anti-malware software, etc.) Defense in depth is not always very easy – especially these days, when organizations are being attacked left, right, and center. BreachDirectory can help you fend off these attacks – implement an API offering into your infrastructure and make sure the employees and everyone else in your organization is not part of a data breach neither now nor in the future, or tell your family to run a search through its search engine to ensure that neither of your family members are at risk of identity theft.
Summary
The principles of OWASP top 10 are ever-evolving: some principles that were in place in 2013 are taken out of consideration in the 2017 version of OWASP, and some principles in 2017 version of OWASP Top 10 are removed in the 2021 version. Defending our web applications is only one part of our security strategy, though – for an entire organization to be secure, we should consider employing firewalls, anti-malware systems, or anything that could help our organization become more resilient to cyber threats. Starting off with services provided by BreachDirectory is a great start – employ the capabilities of the API into your infrastructure or scan through the list of the ever-updating list of data breaches to be safe. We hope you’ve learned something in this blog – stick around, and we’ll see you in the next one!