The more things change, the more they stay the same. Despite a changing threat landscape and threat actors who keep upping their game, the vulnerabilities behind the threats remain consistent. The OWASP Top 10, ranked by the Open Web Application Security Project, lists the 10 most prominent and dangerous risks and threats for applications.

The OWASP top 10 publishes only once every few years. So, although there is currently no OWASP top 10 for 2021, a list will probably be released this year. The report writers don’t expect the list to change much, if at all, from the current rankings.

If you can address the majority of the OWASP top 10 most common security vulnerabilities, your security posture should be in great shape. So, what is the current top 10, and how can you defend against them?

OWASP A1:2017 – Injection

You’ve probably heard about SQL Injection, the most common injection type. SQL Injection was first disclosed in 1998 and is not difficult to defend against, yet it’s still common. Other injection flaws include NoSQL, OS and LDAP injection. In a nutshell, injections happen when an attacker sends or inserts untrusted code into the database query. In successful attacks, the attacker gains control of your database.

A2:2017 – Broken Authentication

When user authentication controls are either not set up correctly or overlooked, the likelihood of an account being breached can skyrocket. If attackers can compromise your passwords, session token or keys, there’s no limit to the kind of damage they can inflict. Methods used to exploit this vulnerability include credential stuffing, brute force access and session hijacking.

A3:2017 – Sensitive Data Exposure

Far too many web applications and application programming interfaces lack the proper protection of confidential data, such as health care, financial and other information. The HTTP protocol is unencrypted and can be compromised at any node along the traffic route.

A4:2017 – XML External Entities (XXE)

XML, eXtensible markup language, is still used to distribute data over the Internet. Older or misconfigured XML processors may process references to external sources within the documents, allowing attackers to gain access to internal files, perform remote code execution and even launch denial of service attacks.

A5:2017 – Broken Access Control

What happens when your users’ accounts have more access than they need to do their jobs? To you, it may be a risk; but to attackers, it’s a goldmine, OWASP says. When restrictions are not in place on how much access authenticated users have (access control), an attacker can wreak havoc on your systems if they compromise those accounts.

A6:2017 – Security Misconfiguration

Perhaps the most common problem on this list, misconfiguration happens when users and developers do not adhere to basic controls like changing default passwords, patching outdated systems or poorly configured apps.

A7:2017 – Cross-Site Scripting (XSS)

In cross-site scripting (XSS) attacks, the attackers inject code onto a legitimate website. That code then executes when the site loads onto the victim’s browser. XSS is successful because, inherently, web browsers will trust that the code they need to load is secure. XSS can alter websites, hijack user sessions or trick the user into visiting malicious sites.

A8:2017 – Insecure Deserialization

Serialization and deserialization are common to many web applications based on programming languages such as Java and .Net, OWASP says. Serialization changes an object into a transmittable disk format. Deserialization converts the serialized data into a usable object. An insecure deserialization vulnerability occurs if the process isn’t properly secured by the application. Deserialization can let an attacker perform remote code execution, injection attacks, replay attacks and privilege escalation attacks.

A9:2017 – Using Components With Known Vulnerabilities

Third-party or open source components like libraries, frameworks and other software modules often execute with the same privileges as the application. If the attacker exploits one of these components, the victim can suffer severe data loss or server takeover.

A10:2017 – Insufficient Logging & Monitoring

You can’t manage what you don’t measure, and if you’re not logging and watching for abnormal traffic or access you may never know you’ve been breached. With so many systems creating so many logs, it’s no wonder that companies have a difficult time managing this.

How to Defend Against the OWASP Top 10

Now that you know what the top 10 vulnerabilities are, it’s time to learn how to prevent them from happening in your business or agency.

Here are the top 10 tips and strategies:

Embrace and Adopt Zero Trust

The zero trust framework runs on the principle of least privilege. In essence, zero trust gets its name because it trusts nobody or nothing by default — unless and until they are verified. While zero trust may not be a simple solution, it is a critical element of defending against many OWASP top 10 vulnerabilities. Learn more about zero trust here.

MFA and Robust Password Policies

What makes up a strong password is constantly changing, but password policies should encourage or enforce a mix of numbers, letters and special characters. The minimum password length should be 10 characters, as eight characters are too easy to crack. Do not store passwords locally, and be sure to encrypt them. Multi-factor authentication, while not foolproof, can be effective in mitigating broken authentication vulnerabilities.

Web Application Firewalls or Next-Gen Firewalls

A web application firewall (WAF) works at the application layer (layer 7), monitors incoming traffic and blocks malicious traffic, acting as a gateway against incoming app attacks. WAFs are configurable to look for emerging threats or established ones such as those in the OWASP list and can be tailored to your specific risk profile. Next-gen firewalls (NGFWs) work at the network layer (layers 3 and 4), represent a line of defense against unwanted network access and protect the internal network. NGFWs may even foster zero trust.

Proper Access Controls

Proper access control should mimic zero trust as close as possible. You may not be able to achieve full zero trust, but experts recommend at least role-based and least privileged approach for access. Limit access to only what someone needs to do their job. Unused accounts, access points and services should be removed.

Validate Input

It’s simple: when a user or app sends a query, upload or other input, it should be validated. When inputs are validated, attacks like injections and cross-site scripting have a much lower probability of succeeding.

Encrypt Whenever Possible

A few rules of thumb here. First, if your data is sensitive, it should be encrypted. Encrypt passwords with access to confidential data. Lastly, when in transit, data should be encrypted with SSL.

Logging and Monitoring

Logging may be tedious, but logging and audit software can simplify the process. Regularly analyzing your logs and monitoring traffic, data and access may prevent future attacks and help establish security policy.

Audits, Vulnerability Scans and Penetration Tests

Knowing where vulnerabilities are is critical in maintaining good posture in today’s evolving threat landscape. Vulnerability assessments and scans, audits and penetration tests are the best way to accomplish this. Conduct them as often as possible and order risks according to their possible impact.

Secure Coding Practices Against OWASP Top Threats

If your code is not secure, your applications aren’t either. Following secure coding practices is critical. Developers and security teams should work together to establish guidelines and goals that are achievable and fair.

Practice Good Cyber Hygiene

Good practices — like patching and updating often, using only trusted software, reducing shadow IT, and promoting security awareness — can all go a long way in reducing your risk.

Ultimately, organizations with the best cybersecurity posture foster a strong cybersecurity culture and have buy-in from all departments, employers and senior management. That way you’ll be prepared against the threats OWASP warns against and others that may crop up.

More from Software Vulnerabilities

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

X-Force discovers new vulnerabilities in smart treadmill

7 min read - This research was made possible thanks to contributions from Joshua Merrill. Smart gym equipment is seeing rapid growth in the fitness industry, enabling users to follow customized workouts, stream entertainment on the built-in display, and conveniently track their progress. With the multitude of features available on these internet-connected machines, a group of researchers at IBM X-Force Red considered whether user data was secure and, more importantly, whether there was any risk to the physical safety of users. One of the most…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today