We, in the security industry love the OWASP Top 10. For one, it has a catchy name. But more than that, it has a simple way of grabbing people’s attention and focusing them towards application security using the concept of a simplistic list. The OWASP Top 10, released by the Open Web Application Security Project every four years, has become a benchmark that the entire industry rallies around, for application security. So much so, that the OWASP also has similar lists for Mobile Application Security and IoT Security.
OWASP has created its first Release Candidate (RC-1) for the year 2017. While this document is still under review and is open for comments from the community, it is a complete document that will probably have minimal changes, if any before it is released to the world.
What’s the OWASP Top 10?
For those who are not aware of the OWASP Top 10; The Open Web Application Security Project (OWASP), was founded in 2001 as a not-for-profit organization. OWASP is an independent body of industry professionals and application security leaders who come together and contribute to a single cause. Making applications more secure. OWASP and its community has a prolific output of application security artifacts in the form of articles, books, tools and so on. They have conferences across the globe where leading minds in application security discuss the latest and greatest techniques and practices in making and breaking secure apps.
One of OWASP’s most enduring documents is the the OWASP Top 10. The OWASP Top 10 is a document that captures the key risks and weaknesses that are facing apps all over the world at a given point in time and capturing the Top 10 categories of application security risks. This document is used extensively by organizations and security practitioners all over the world. Not only does it provide a detailed analysis of security risks to applications, at a given point in time, but it also provides specific details capturing the nature of the risks, including Exploitability, Prevalence, Detection, etc. thereby creating a more holistic view of security risks, rather than focusing only on the “weakness” per sé.
What’s new in the OWASP Top 10 2017?
The OWASP Top 10 2017 is important for many reasons. In my opinion it has highlighted and captured several key elements of information security that are relevant for today’s apps. Let’s take a look at some key changes in OWASP Top 2017 vs OWASP Top 10 2013.
Merging of Access Control Based Vulnerabilities
Attacks against access control are one of the key ways in which hackers look to compromise applications and gain access to sensitive information. Since 2015, we at we45 have seen a dramatic increase in Access Control attacks as compared to most other classes of attacks, including Cross-Site Scripting and SQL Injection, with the latter becoming rarer and rarer, simply because modern application frameworks automatically perform encoding and parameterized SQL queries using ORMs (Object-Relational Mapping). Attacks against Authorization, like Insecure Direct Object reference attacks and Authentication Attacks, against sessions or tokens is a more pernicious set of attack vectors, especially with Single Page Applications and API-style applications becoming the norm. Access Control hasn’t been made into a highly generic style of security protection, as developers implement their own access control routines. The OWASP Top 10 rightly classifies all access control attacks including authorization flaws under a single category called “Broken Access Control”.
Under-protected APIs
With the rise in client platforms and distributed computing, the world is clearly moving towards creating APIs as opposed to typical browser-focused web applications. APIs are the invisible glue that bind multi-platform/client applications to a particular set of web services, be it mobile apps, Smart TVs or other applications. While APIs might be web applications, securing APIs is a little different from securing typical web applications. There could be a bevy of attack possibilities for APIs ranging from the standard injection attacks to more complex authentication bypass flaws, token based information disclosure flaws and access control flaws. Flaws like XML External Entity Injection, where a vulnerable or poorly configured XML parser can be leveraged to perform devastating attacks against the application can be leveraged against Web Services or API-style applications.
Insufficient Attack Protection
This is a departure for the OWASP Top 10. While the OWASP Top 10 typically focused on Application focused risks, this OWASP category is typically “outside the application”. This category focuses on “detecting, responding to, and blocking attacks makes applications dramatically harder to exploit”. I for one welcome this, because there are fundamental flaws in Application Security programs used by organizations, where there is too much focus given on preventive security measures, and hardly any time and effort put in to detective and corrective security measures. Detection includes techniques like Vulnerability Assessment, Penetration Testing, Deploying WAFs or RASPs and corrective refers to releasing virtual or real patches for the flaws to protect against attacks.
One of the other challenges with today’s distributed apps, is the challenge of monitoring. Monitoring complex, distributed apps is an art that most companies don’t get right. However, with ready tech available in the form of the ELK stack (Elasticsearch Logstash and Kibana) or Splunk, etc, this has become much easier to do today, than ever before.
Continuous Application Security Testing
At we45, we couldn’t be happier at this year’s OWASP Top 10. It has reinforced an age-old tenet that we have been advocating to the community at large. Today’s apps are usually in rapid-release, agile environments where apps undergo constant changes in the form of new features, UI and so on. There is a need to ensure that apps are continuously tested for security vulnerabilities. This can be in the form of leveraging automation for SAST (Static Application Security Testing) and DAST (Dynamic Application Security Testing) and creating automation for manually identified exploits as well. This is the essence of Security in DevOps, which promulgates that application security vulnerabilities should be discovered earlier in the lifecycle, rather than later, where the security flaw might make its way into production, causing a great deal of disruption.