Blog

(ISC)² and F5 Examine OWASP’S “Top 10” Report on New Web Application Security Risks

Aug 10, 2022

In late 2021, the Open Web Application Security Project® (OWASP®) Foundation released a revised list of the 10 most critical security risks to web applications. The OWASP Top 10 list is the foundation’s flagship project for guidance on securing web applications. (ISC)² hosted a webinar in which Byron McNaught from the application security company F5 discussed key changes in the Top 10 and how to use the list as a foundation for protecting applications.

2021 OWASP1 The webinar highlighted the fact that while the OWASP Top 10 had remained largely unchanged for nearly 20 years, the 2021 version included significant updates. For example, the list previously focused on traditional web applications but now includes modern application architectures. This particular update takes into account the risks that organizations face from their use of web and mobile applications, aggregators or API integrations , multi-cloud operations, etc. As a result of these practices, organizations’ digital footprints have become much more complex, which has increased the possible points for attack by cybercriminals. For example, the last risk category listed in the Top 10, server-side request forgery, stems from the difficulty of validating user input, especially validating cross-platform input. Other web exploits target multiple risks listed in the OWASP Top 10. An example of this type is the exploitation of the Apache Log4j 2 open-source logging utility, which covered three risk categories on the OWASP Top 10:

  • A03, Injection
  • A06, Outdated Components (79% of software libraries are never updated)
  • A08, Software and Data Integrity Failures

Exploits like this can occur because reusing code is a core tenet of computer science; developers often use open code utilities or third-party code in projects. However, if it’s downloaded without proper checks, even something as seemingly harmless as a logging utility can create the potential for an incident as serious as a system takeover.

The updated Top 10 list makes the case for end-to-end security, from the design and construction of applications through their implementation and operations. That type of holistic protection is increasingly difficult to put into practice manually; app teams are using automation to compile, build, deploy and provision apps. So, to remain effective, security must keep in lockstep with developers by using web app and API solutions that can protect applications throughout the entire lifecycle.

Additionally, security ops teams can address risks such as server-side request forgery by explicitly defining URI parameters and security policies or automatically detecting parameters to identify the hosts that should or shouldn’t be allowed access. Some other effective security measures mentioned in the webinar include dynamic application security tests (DAST), ensuring consistent policy enforcement across clouds and architectures and identifying vulnerable components.

In addition to the overview provided by its list, OWASP offers several lab projects that examine specific issues like API security or automated threats in greater depth. For more information on the OWASP Top 10, watch The New Risk Order on the (ISC)² Security Briefings webinar channel .