OWASP Top 10: Here's What You Should Know and Why it's important

Have you heard about OWASP Top 10? This standard document is a critical parameter to follow, especially in times of remote work. In this article, we will introduce the ten topics that make up the OWASP Top 10 of 2022, as well as explain the meaning of OWASP. Seriously, you can't miss this reading for anything.

To begin with, let's understand the concept of OWASP.

 

What is OWASP?

OWASP is the acronym for Open Web Application Security Project, representing a global not-for-profit community founded by Mark Curphey in September 2001. According to information security specialists and researchers in the field, the primary purpose of OWASP is to reduce security vulnerabilities on the web. To achieve this goal, the entity acts collaboratively to promote the strengthening of software security worldwide. 

To this end, the professionals involved in this initiative remain open to knowledge exchanges and provide free educational content aimed primarily at data protection. The main achievement of this global community is the annual OWASP Top 10 ranking. And what is this ranking?

The OWASP Top 10 corresponds to a list that lists the most common, critical and dangerous flaws related to the development of web projects. 

It is essential to highlight that OWASP is a project that started unpretentiously, but over time, it has become a vital parameter recognized globally due to its quality and usefulness. 

The main benefits that OWASP brings to companies and IT professionals are:

Assists in creating robust Cyber security posture.
Contributes to the protection of APIs against possible cyber-attacks.
Favours the reduction of operational failures in the systems.
It improves the reputation of the company that developed a particular app.
 

OWASP Top 10

Let's now address the list of the ten most common application vulnerabilities according to the most updated version of the OWASP Top 10.

1: Broken access control

This vulnerability was ranked fifth in the latest publication of the OWASP Top 10 ranking and has moved up to number one. It is, therefore, the vulnerability that currently represents the most serious security risk for web applications. This vulnerability indicates that there are risks related to access to a particular application by unauthorized persons due to resources used by cybercriminals to circumvent access control.

2: Cryptographic flaws

Yet another vulnerability climbed the OWASP Top 10 ranking. Encryption-related flaws ranked third on the previous list. Previously this vulnerability was called Sensitive Data Exposure or Sensitive Data Exposure. It is now more apparent that the category focuses on cryptographic flaws, which was previously implied. Encryption is considered a fundamental resource when thinking about data security, both concerning sending and receiving information and when the objective is to store it. However, using cryptography is not enough; it is necessary to have guarantees as to its efficiency and reaching second place in the OWASP Top 10 ranking shows a critical situation. Encryption flaws can lead to the exposure of confidential data or even the compromise of the system as a whole.

3: Injection

When we talk about injection in the application world, the reference is to an attack technique based on code manipulation, as with SQL. SQL is code used to exchange information between applications and relational databases. Thus, the cyber-criminal injects a string input into the application and tries to manipulate the code instruction. It can harm the database in several ways, even culminating in denials of service.

4: Insecure design

It is a new category considered by the OWASP Top 10 in its 2021 version and focuses on risks linked to design flaws. When you have an insecure design in a working application, it is not possible to correct it through a perfect implementation because the security controls, in theory, were never created. In this sense, the application is left without a robust defence against specific attacks.

5: Insecure configuration

Vulnerabilities related to insecure configuration rose from sixth to fifth in the OWASP Top 10 ranking.

6: Outdated and vulnerable components

This OWASP Top 10 category was previously called "Use of Components with Known Vulnerabilities" and ranks second in the Top 10 community polls. This category draws attention to the lack of care about the need for periodic updates to improve application security. A component that would hardly pose risks today may bring many of them soon. Therefore, it is necessary to consider the evolution of technology when developing solutions.

7: Identification and authentication failures

Previously, this OWASP Top 10 category was known as "Broken Authentication" and has dropped from second to seventh in the ranking.

8: Software and data integrity flaws

This new category was introduced in the OWASP Top 10 ranking in the 2021 publication. Its focus is on assumptions related to software updates, critical data and CI/CD pipelines (method of delivering applications frequently to clients) without verification of the integrity. This category also includes "Insecure Deserialization", which was part of the list until 2017. 

9: Security monitoring and logging failures

Failures related to security logging and monitoring ranked tenth in the 2017 OWASP Top 10 ranking. These were called "Insufficient logging and monitoring" and have now been expanded to include other types of failures. This is a difficult category to test that needs to be better represented when listing common weaknesses. Losses in this category can directly affect visibility, expertise and alerts on cybersecurity incidents.

10: Server-side request forgery

From the surveys carried out to disseminate the OWASP Top 10 list, it can be concluded that the incidence rate of this vulnerability is relatively low. Above-average test coverage was achieved with above-average ratings for the potential for exploration and impact.

Even so, the existence of this category in the Top 10 demonstrates that members of the security community are saying that this issue needs attention, even if the data does not show an urgent need to target efforts to combat this vulnerability.

 

CONCLUSIONS

The OWASP Top 10 is very important on the world stage because it presents an "initial picture" of the main concerns that experts must have when producing and validating new code or improving legacy code.