Published on: November 15, 2021
6 min read
Top five actions engineers should take based on the OWASP Top 10 2021 security updates
Learn what actions engineers should take based on the OWASP Top 10 updates for 2021
<%= cache_bust(stylesheet_link_tag('harveyball'), cache_bust_value) %>
The OWASP Foundation recently released its long-anticipated OWASP top 10 security vulnerability trends for 2021. This list provides awareness for developers and security teams on the most critical security risks to applications. This is the first update in four years.
We're proud to sponsor the OWASP organization, which supports their mission "to help the world improve the security of its software" as well as support regional and global annual conferences. We were also thrilled to be able to help with the OWASP top 10 updates by compiling and providing anonymized vulnerability data to OWASP so they could use it with data from other sources to compile the trends.
There are many changes to the OWASP top 10
OWASP Top 10 changes from 2004 to 2021
In the top 5, broken access control has gone from #5 up to #1 on this list due to nearly 4% of applications having challenges in this area. Insecure design has been added as a new category. Cryptographic failures, injection, and security misconfiguration continue to be high on the list.
In the bottom 5, vulnerable and outdated components, identification/authentication issues, and logging/monitoring are still present. New categories are software/data integrity and Server-Side Request Forgery (SSRF).
The most significant changes between the OWASP Top 10 2017 and 2021 rankings is the position of Broken Authentication, which moved five steps down from position 2 to 7. This change indicates that this category is considered much less critical nowadays than it used to be in the past. In contrast, Broken Access Control is considered more critical in 2021 in comparison to 2017 because it moved up four steps from position 5 to 1.
Another noticeable difference when comparing OWASP Top 10 2017 and 2021 is the disappearance of the XML External Entity (XXE), Cross-Site Scripting (XSS), and Insecure Deserialization categories which have been absorbed by the Security Misconfiguration, Injection and Software and Data Integrity Failures categories in the 2021 ranking, respectively. This change freed up two additional spots in the 2021 ranking for the entirely new categories Insecure Design and SSRF. Vulnerabilities in Software Dependencies moved up three positions from position 9 in 2017 (Using Components with Known Vulnerabilities) to position 6 in 2021 (Vulnerable and Outdated Components).
What should engineering and security teams do based on the updates?
- Broken access control – SAST and DAST scanners can sometimes help to find some classes of these issues. Automated tools can identify that user X can access feature Y; however, they often cannot determine if that user should have that level of access. This is where designing for security from the beginning comes into play, especially for authentication and authorization. Humans cannot be replaced with automation to detect many of these issues. Focused penetration testing and bug bounty programs are key to find things that may have slipped through the cracks.
- Insecure design – Similar to the top controls for broken access control, it is essential to design for security at the beginning and monitor it over time. Teach developers how their applications may be attacked through threat modeling in order to enable them to design and evaluate the system design from a security-first mindset.
- Software/data integrity – Educate developers on attackers doing typosquatting on common libraries and inducing developers to use their libraries that have been compromised. Confirm your libraries and other dependencies are checked for known security issues via GitLab Dependency Scanning, and/or Container Scanning and open source tools like OWASP dependency check. Also, consider tools like package hunter that can help find malicious code in your dependencies.
- Server-Side Request Forgery – Sanitize untrusted input data using hardened libraries and fuzz test your inputs to suss out unexpected behaviors. Implement allow lists for what should be permitted rather than deny lists that can be easily thwarted by a determined attacker. SAST and DAST scanners can often easily identify this class of issues.
- Keep diligence on the other top threats on the list via the above recommendations, including confirming monitoring and pre-established escalation runbooks for security issues. Scan your code for secrets that can accidentally leak into repositories. Keep an eye on vulnerability trends in your applications over time to make sure they are being vetted and addressed as appropriate. Scan and monitor your containers for security issues.
How do GitLab and other solutions measure up to these risks?
No one solution covers the entire threat in any category. A defense-in-depth strategy of employing multiple areas of validation is key to managing risk.
More information about how GitLab addresses these risks can be found on the secure product metric page.
| Security risk | GitLab Secure & Protect | Penetration Testing | Bug Bounties | Security Training | Security-First Design | Security Monitoring & Escalation |
|---|---|---|---|---|---|---|
| A01:2021-Broken Access Control | ||||||
| 02:2021-Cryptographic Failures | ||||||
| 03:2021-Injection | ||||||
| A05:2021-Security Misconfiguration | ||||||
| A06:2021-Vulnerable and Outdated Components | ||||||
| A07:2021-Identification and Authentication Failures | ||||||
| A08:2021-Software and Data Integrity Failures | ||||||
| A09:2021-Security Logging and Monitoring Failures | ||||||
| A10:2021-Server-Side Request Forgery |
Coverage legend:
- - 0%
- - 25%
- - 50%
- - 75%
- - 100%
Cover image by Joshua Golde on Unsplash