The more things change, the more they stay the same. Despite a changing threat landscape and threat actors who keep upping their game, the vulnerabilities behind the threats remain consistent. The OWASP Top 10, ranked by the Open Web Application Security Project, lists the 10 most prominent and dangerous risks and threats for applications.

The OWASP top 10 publishes only once every few years. So, although there is currently no OWASP top 10 for 2021, a list will probably be released this year. The report writers don’t expect the list to change much, if at all, from the current rankings.

If you can address the majority of the OWASP top 10 most common security vulnerabilities, your security posture should be in great shape. So, what is the current top 10, and how can you defend against them?

OWASP A1:2017 – Injection

You’ve probably heard about SQL Injection, the most common injection type. SQL Injection was first disclosed in 1998 and is not difficult to defend against, yet it’s still common. Other injection flaws include NoSQL, OS and LDAP injection. In a nutshell, injections happen when an attacker sends or inserts untrusted code into the database query. In successful attacks, the attacker gains control of your database.

A2:2017 – Broken Authentication

When user authentication controls are either not set up correctly or overlooked, the likelihood of an account being breached can skyrocket. If attackers can compromise your passwords, session token or keys, there’s no limit to the kind of damage they can inflict. Methods used to exploit this vulnerability include credential stuffing, brute force access and session hijacking.

A3:2017 – Sensitive Data Exposure

Far too many web applications and application programming interfaces lack the proper protection of confidential data, such as health care, financial and other information. The HTTP protocol is unencrypted and can be compromised at any node along the traffic route.

A4:2017 – XML External Entities (XXE)

XML, eXtensible markup language, is still used to distribute data over the Internet. Older or misconfigured XML processors may process references to external sources within the documents, allowing attackers to gain access to internal files, perform remote code execution and even launch denial of service attacks.

A5:2017 – Broken Access Control

What happens when your users’ accounts have more access than they need to do their jobs? To you, it may be a risk; but to attackers, it’s a goldmine, OWASP says. When restrictions are not in place on how much access authenticated users have (access control), an attacker can wreak havoc on your systems if they compromise those accounts.

A6:2017 – Security Misconfiguration

Perhaps the most common problem on this list, misconfiguration happens when users and developers do not adhere to basic controls like changing default passwords, patching outdated systems or poorly configured apps.

A7:2017 – Cross-Site Scripting (XSS)

In cross-site scripting (XSS) attacks, the attackers inject code onto a legitimate website. That code then executes when the site loads onto the victim’s browser. XSS is successful because, inherently, web browsers will trust that the code they need to load is secure. XSS can alter websites, hijack user sessions or trick the user into visiting malicious sites.

A8:2017 – Insecure Deserialization

Serialization and deserialization are common to many web applications based on programming languages such as Java and .Net, OWASP says. Serialization changes an object into a transmittable disk format. Deserialization converts the serialized data into a usable object. An insecure deserialization vulnerability occurs if the process isn’t properly secured by the application. Deserialization can let an attacker perform remote code execution, injection attacks, replay attacks and privilege escalation attacks.

A9:2017 – Using Components With Known Vulnerabilities

Third-party or open source components like libraries, frameworks and other software modules often execute with the same privileges as the application. If the attacker exploits one of these components, the victim can suffer severe data loss or server takeover.

A10:2017 – Insufficient Logging & Monitoring

You can’t manage what you don’t measure, and if you’re not logging and watching for abnormal traffic or access you may never know you’ve been breached. With so many systems creating so many logs, it’s no wonder that companies have a difficult time managing this.

How to Defend Against the OWASP Top 10

Now that you know what the top 10 vulnerabilities are, it’s time to learn how to prevent them from happening in your business or agency.

Here are the top 10 tips and strategies:

Embrace and Adopt Zero Trust

The zero trust framework runs on the principle of least privilege. In essence, zero trust gets its name because it trusts nobody or nothing by default — unless and until they are verified. While zero trust may not be a simple solution, it is a critical element of defending against many OWASP top 10 vulnerabilities. Learn more about zero trust here.

MFA and Robust Password Policies

What makes up a strong password is constantly changing, but password policies should encourage or enforce a mix of numbers, letters and special characters. The minimum password length should be 10 characters, as eight characters are too easy to crack. Do not store passwords locally, and be sure to encrypt them. Multi-factor authentication, while not foolproof, can be effective in mitigating broken authentication vulnerabilities.

Web Application Firewalls or Next-Gen Firewalls

A web application firewall (WAF) works at the application layer (layer 7), monitors incoming traffic and blocks malicious traffic, acting as a gateway against incoming app attacks. WAFs are configurable to look for emerging threats or established ones such as those in the OWASP list and can be tailored to your specific risk profile. Next-gen firewalls (NGFWs) work at the network layer (layers 3 and 4), represent a line of defense against unwanted network access and protect the internal network. NGFWs may even foster zero trust.

Proper Access Controls

Proper access control should mimic zero trust as close as possible. You may not be able to achieve full zero trust, but experts recommend at least role-based and least privileged approach for access. Limit access to only what someone needs to do their job. Unused accounts, access points and services should be removed.

Validate Input

It’s simple: when a user or app sends a query, upload or other input, it should be validated. When inputs are validated, attacks like injections and cross-site scripting have a much lower probability of succeeding.

Encrypt Whenever Possible

A few rules of thumb here. First, if your data is sensitive, it should be encrypted. Encrypt passwords with access to confidential data. Lastly, when in transit, data should be encrypted with SSL.

Logging and Monitoring

Logging may be tedious, but logging and audit software can simplify the process. Regularly analyzing your logs and monitoring traffic, data and access may prevent future attacks and help establish security policy.

Audits, Vulnerability Scans and Penetration Tests

Knowing where vulnerabilities are is critical in maintaining good posture in today’s evolving threat landscape. Vulnerability assessments and scans, audits and penetration tests are the best way to accomplish this. Conduct them as often as possible and order risks according to their possible impact.

Secure Coding Practices Against OWASP Top Threats

If your code is not secure, your applications aren’t either. Following secure coding practices is critical. Developers and security teams should work together to establish guidelines and goals that are achievable and fair.

Practice Good Cyber Hygiene

Good practices — like patching and updating often, using only trusted software, reducing shadow IT, and promoting security awareness — can all go a long way in reducing your risk.

Ultimately, organizations with the best cybersecurity posture foster a strong cybersecurity culture and have buy-in from all departments, employers and senior management. That way you’ll be prepared against the threats OWASP warns against and others that may crop up.

more from Application Security

Controlling the Source: Abusing Source Code Management Systems

For full details on this research, see the X-Force Red whitepaper “Controlling the Source: Abusing Source Code Management Systems”. This material is also being presented at Black Hat USA 2022. Source Code Management (SCM) systems play a vital role within organizations and have been an afterthought in terms of defenses compared to other critical enterprise systems such as Active Directory.…

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however,…