What to do with the new 2021 OWASP Top 10 Vulnerability Rankings?Industry comments

This year’s list of Open Web Application Security Projects has been published, with new categories and new number ones.

The new OWASP Top 10 list released this month has new major villains. Overcome injection vulnerabilities. The biggest and worst category in town is now Broken Access Control.

Injection vulnerability OWASP (Open Web Application Security Project) list Over the years, this category has been ranked third after access control corruption and encryption failures due to the wide range of technologies and flaws covered by the term, from SQL injection to OS command injection attacks.

Broken access control vulnerabilities often occur as applications and environments evolve. This includes faults in the authorization system that allow vertical and horizontal privilege escalation. Encryption failures, on the other hand, target hard-coded or weak passwords, broken or dangerous encryption algorithms, and inadequate entropy when creating keys.

The 2021 OWASP Top 10 also has three new categories.

Fourth, there is an insecure design that refers to software that cannot be modified by a full implementation because the underlying code is insecure.

Software and data integrity failures are eighth, including false assumptions made about automated processes and CI / CD pipelines.

On the other hand, number 10 has server-side request forgery (SSRF). This is a class of vulnerabilities that allows an attacker to force a server-side application to send an HTTP request to any domain.

Other categories have been merged into the new Top 10.

The OWASP Top 10 List aims to raise awareness of common vulnerabilities among developers. We asked many industry players how much they believe it would be useful for developers and security professionals, and what they think of this year’s rankings.

Computing: What do you think of this year’s changes? And how important are they?

Etienne Hodder, Senior Information Security Consultant at eSentire: The most important changes are the introduction of three new categories: insecure design, software and data integrity failures, and server-side request forgery. Focusing on new threats to web applications, the first two of these new categories further emphasize the need to protect app integrity throughout the software development life cycle (SDLC)-the infamous 2020. SolarWinds Violations are a clear example of software integrity failures.

The new additions to the Top 10 are the most interesting-Iain Chidgey, Sumo Logic

Sumo Logic, Vice President of EMEA Iain Chidgey: The new additions to the Top 10 are most interesting as they show where developers and security teams face the most pressure and need to improve their skills. For example, the insecure design category covers how to design and build applications. Microservices-based applications have become more popular among developers in terms of design and development and are now responsible for generating business revenue.

Fred Wilmot, CISO JumpCloud: Significant changes to the Top 10 list include a better focus on today’s CI / CD pipeline and deployment approaches that incorporate cloud architectures, addressing the well-known complexity of being “well-designed.” Doing does not mean “properly implemented”. Among the challenges in building a well-designed solution, important libraries for logging, design ideas for authentication methods, and data integrity are important to the overall service model.

Paul Baird, Chief Technical Security Officer, UK, Qualys: There are some important changes in the top 10 categories of this report, including a clear shift to focus on making web applications as secure as possible. Previous It will be live. Exploitability and impact data was also implemented for the first time, adding more weight and validity to the list.

How important are these types of changes and how can they help your security and development team?

Wilmot: These changes are important when considering using the latest tools to address the entire software development life cycle. In some cases, sanitize, input validation, CSRF, SSRF, and XSS are considered lightweight fixes, but they really address encryption failures, logging / monitoring, misconfigurations, vulnerable components, and more. These span the entire design of cloud services. It’s not just about implementing a web server. This is closely related to the idea of ​​operational risk and where security fits into product development as a function. Not all risks come with a CVE or CWE, which makes the fix more complicated and makes the water muddy to clearly implement for the fix.

Security teams need to incorporate regular detection of the OWASP category into their production environment-Etienne Hodder, eSentire

Hodder: The security team should incorporate regular detection of the OWASP category into the production environment. For example, it employs a dynamic application security testing (DAST) tool that repeats regular scans to provide development teams with visibility into the results. Development team leaders need to ensure that sufficient time is allocated to provide proper training and ensure that all contributors can perform thorough testing throughout the design phase.

Chidgey: Such rankings help security teams get in-house support. This will help give your department time and budget to seriously consider these issues, and help you get support from your colleagues as part of your workflow and process.

The schedule for these updates is not in line with the pace of major change we are seeing, Paul Baird, Qualys.

Baird: The report uses the largest application security dataset available for data from over 500,000 applications, so the findings are beneficial and very important to the industry. However, the schedule for these updates does not match the pace of major change seen in today’s industry. Villains are constantly activating their tactics, and as an industry we need to catch up. 

Is there a risk that such a list would cause the team to see security as a boxtick exercise rather than thinking strategically?

Wilmot: I think it’s the other way around. When considering the development of an idea, there are design principles that can be measured through OWASP. It reveals or validates security team concerns based on industry practices early in the tool and discussion process.

Hodder: Because the OWASP 2021 update is more data-driven than previous iterations, the team has more closely aligned the structure and description of the categories with their current understanding of application vulnerabilities throughout the organization, and previous box tick exercises. We should expect to promote involvement beyond.

Chidgey: The security team knows that these frameworks are not all about security. They can help support business cases of changing the way an investment or security process behaves. I think the biggest change is how much emphasis is placed on getting security right throughout the development process. We’ve seen breaches related to software supply chain failures become a hot topic, but many security and developer teams check supply chain integrity, such as continuous integration / continuous deployment. I’m looking for more guidance on how to do it.

Baird: The OWASP Top 10 List should not be considered an exhaustive checklist. It is designed to act as a methodology with guidance on the directions needed to be more secure. Ultimately, it should be combined with a web application scanning tool that provides more accurate images related to the organization’s own network.

What does the Top 10 of the Year show about the future in which app development and security teams actually work together?

Baird: It emphasizes the need for them to do just that-work together actually. This year there is a clear change in making applications safe Previous A release that repeats how important the relationship between the two teams is. Still, there still seems to be a political gap between the two. Teams need to come together to support the business in which they both work.

Hodder: Corporate leadership needs to strengthen collaboration between app development and security teams and reassess current SDLCs to include security teams. There are new opportunities for career shifts between both teams, even providing organizations with a strong, security-oriented application development team.

This helps establish a common bridge between non-JIRA ticket product / engineering and security teams-Fred Wilmot, JumpCloud

Wilmot: This helps to establish a common bridge between the product / engineering team and the security team, apart from the JIRA ticket.

Chidgey: Top 10 provides a good guide on where to prioritize DevOps And security, but this is just the starting point for understanding what’s happening from a data perspective.

What to do with the new 2021 OWASP Top 10 Vulnerability Rankings?Industry comments

Source link What to do with the new 2021 OWASP Top 10 Vulnerability Rankings?Industry comments

Related Articles

Back to top button