In the past year, a number of high-profile data breaches have come to light.
These include both major companies and smaller organizations.
While the causes of these breaches vary, they all have one thing in common: better cybersecurity practices could have prevented them.
The Open Web Application Security Project (OWASP) is a nonprofit organization that works to improve the security of software. As part of this mission, they maintain a list of the top 10 most common security risks.
The organization updates this list annually and released the most recent version in December 2020. Here are the top 10 OWASP breaches of 2021, along with some general tips on how to prevent them.
Owasp released their list of the top 10 breaches of 2021. What were the most prevalent vulnerabilities?
- Broken Access Control: occurs when an application does not properly restrict access to sensitive data or resources. This can allow unauthorized users to gain access to sensitive data or perform actions that they should not be able to.
- Cryptographic Failures: A cryptographic failure is a vulnerability in a cryptographic system that allows an attacker to break the system and gain access to the data it is meant to protect. Cryptographic failures can occur due to a number of reasons, including poor design, implementation errors, and weak cryptographic keys.
- Injection: it occurs when the application executes an untrusted input. This can allow attackers to execute malicious code, access sensitive data, or modify application data.
- Insecure Design: Insecure design is a category that represents different weaknesses.
This means that the controls that should be in place to keep the system or software secure are either missing or not effective. This can lead to vulnerabilities that attackers can exploit. One of the factors that contribute to insecure design is the lack of business risk profiling inherent in the software or system being developed, and thus the failure to determine the required level of security design.
- Security Misconfiguration: The application might be vulnerable if: –
- it doesn’t have the right security hardening across the whole application or if it’s a bad configuration on cloud services.
- There is the presence of unnecessary features, like unnecessary ports open or services active.
- There are default accounts
- Error handling reveals too much information to users
- Vulnerable and Outdated Components: This vulnerability occurs if the versions of some of the components you use are vulnerable or out of date.
- Identification and Authentication Failures: Identification and authentication failures happen when someone can’t confirm that a user is who they say they are. This can happen if the application permits automated attacks, like credential stuffing or brute force attacks. It can also happen if the application uses weak or ineffective credential recovery processes.
- Software and Data Integrity Failures: Integrity violations happen when code or infrastructure doesn’t protect against them. This can happen when an app relies on plugins, libraries, or modules from untrusted sources, like repositories or content delivery networks (CDNs).
Attackers could potentially upload their own updates to be distributed and run on all installations.
Another example is where objects or data are encoded or serialized into a structure that an attacker can see and modify is vulnerable to insecure deserialization.
- Security Logging and Monitoring Failures: Without logging and monitoring, breaches would be impossible to detect breaches. This means that if something goes wrong, it might be hard to find and fix the problem before it’s too late.
- Server-Side Request Forgery: Some web applications allow users to fetch a URL, but don’t properly validate the user-supplied URL. This flaw is called SSRF (Server Side Request Forgery). An attacker can use SSRF to coerce the application to send a crafted request to an unexpected destination, even with the protection of a firewall, VPN, or another type of network access control list (ACL). This can allow the attacker to access sensitive information or launch further attacks.
Steps that an organization can take to protect itself
Failing to address these vulnerabilities can have a number of consequences. These include data breaches, loss of customer trust, damage to reputation, and financial losses. Reading the list and protecting from those specific vulnerabilities, can be a big step forward, anyway, there are a bunch of general precautions that an organization can put in place:
- Implementing strong authentication and session management controls.
- Validating and sanitizing all input.
- Restricting access to sensitive data and resources.
- Configuring applications securely.
- Enabling logging and monitoring.
- Using secure communications protocols.
- Implementing security controls.
- Designing applications with security in mind.
- Following change management procedures.
In conclusion, the OWASP top 10 list for 2021 is a great resource for organizations to use to improve their cybersecurity practices. By taking steps to address the most common security risks, organizations can protect themselves from data breaches and other consequences.