... and what stings can be most painful for you! Anyone who works in cyber security knows the wasp in the logo of the OWASP (Open Web Application Security Project) very well. The “OWASP Top 10” report, published at regular intervals, lists the ten most critical security risks found in Web applications. The ranked list appeared in 2003 for the first time and is highly regarded among cyber security experts and Web developers. What does the current report look like? Melchior Limacher, one of InfoGuard's Senior Cyber Security Consultants, has analysed the latest report in detail, takes stock for you and reports the most important changes.
All in all, my colleagues and I have quite a positive view of the changes in the latest version of the OWASP Top 10 Risks of Web Applications. In particular, we believe that joining the two risks “Insecure Direct Object References” and “Missing Function Level Access Control” into the superior risk category “Broken Access Control” makes sense. And just like in the previous version, “Injection” and “Broken Authentication” take the infamous first and second place. But let us have a look at the list ...
The Top 10 Security Risks of Web Applications
- Injection
- Broken Authentication
- Sensitive Data Exposure
- XML External Entities (XXE)
- Broken Access Control
- Security Misconfiguration
- Cross-Site Scripting (XSS)
- Insecure Deserialization
- Using Components with Known Vulnerabilities
- Insufficient Logging & Monitoring
“Cross-Site Scripting (XSS)” has lost a couple of positions since last year, but it is still in the list of the top risks – with good reason, and matching my own personal experience. Indeed, we keep finding XSS vulnerabilities even in high-quality applications: and quite often such vulnerabilities are rather severe.
Cross Site Request Forgery was “forgotten” in the list
According to our penetration testers, it goes beyond understanding why “Cross Site Request Forgery (CSRF)” is no longer on the list. This vulnerability can have bad effects and is just as widespread as before.
The new entry “XML External Entities (XEE)” can be found now and then, and it is quite dangerous, but thanks to the increasing use of JavaScript Object Notation (JSON) it is retreating. Therefore, at InfoGuard we have included the XEE-vulnerability in the more generic Injection, and put CSRF back in its place in the Top 10.
Another new entry in the Top 10 is the “Insecure Deserialization”. This class of risks is not new at all, but raising the sensitivity of developers and other persons in charge is a good thing. Insecure deserialization of objects can lead, in a worst-case scenario, to the mother of all vulnerabilities: the dreaded Remote Code Execution.
“Insufficient Logging & Monitoring” has received its place in the list, and we agree. Clients noticing an attack is the exception, not the rule. When they ask us to do a cyber attack simulation, our penetration testers sometimes are able to move unnoticed in a client's network for days, maybe even weeks, without being noticed by the client's cyber defence. Although many experts – including us at InfoGuard – keep warning that preventive security is no longer enough, we still meet these situations very often. The focus of cyber security must be clearly set on the detection of, and reaction to, security incidents. The simple preventive defence is nowadays inadequate. Our services at the Cyber Defence Center address exactly this issue, for a comprehensive cyber security.
Take advantage of the OWASP Top 10 list, for your own cyber security
The OWASP Top 10 are neither a penetration test checklist nor a complete classification of weaknesses or risks in Web applications. The OWASP Top 10 are an “Awareness Document”, to raise the sensitivity of technical staff, project leaders and organisation on the most frequent vulnerabilities, and in general on the security needs of Web applications.
The fundamental aspects of security – which incidentally are not at all new – should be taken into due consideration, already in the early stages of defining the architecture and developing the Web application. It turns out to be much cheaper than pushing them in at a later stage. You should start right away with your next application.
A simulated “cyber wasp sting” by our pentesters makes things clearer for you
Do you too want to know how far can a hacker force his way into your Web application? Our penetration testers will perform a Web Application Audit and tell you! For a risk-based assessment of a Web application, the audit must be performed with a “white-box approach”. You will have an interview with our auditors, in which you will provide them with detailed information on your product and its architecture, plus all the documentation they need. Depending on this information, we shall identify which functionalities in the application are most critical from a security point of view. Normally we can identify classical vulnerability in a Web application on our own, but by using this procedure we make sure that any special functions and weaknesses in the application logic are duly analysed and assessed.
Take the chance and put your Web applications to the test – you will not regret it!
PS: We are constantly organising exciting events where our pentesters demonstrate live how easy it is to crack a network. Subscribe to our newsletter right now so you will not miss the next show!
