From 2017 to 2021 the entire Top 10 list was rearranged or replaced by a new forms of security risk. This is not surprising as cyber-attacks are up 600% since the beginning of the COVID-19 pandemic, according to (EMBROKER). Being stuck inside or struggles from the pandemic has cause a new wave of cyber criminals who are becoming more creative in the ways they conduct their attacks.
- Injection was dethroned from the number 1 rank on the list by broken access control in 2021. Rising from its previous 5th spot in 2017 broken access control is not new and will be around for a long time as developers in today’s age are more focused on regurgitating content rather than patiently release a highly secure and tested application. You can’t shove all the blame on developers because they are usually not the ones who call the shots, or they were never aware of some of the risks to begin with. Broken access control can be mitigated by establishing least privilege and establishing a change request framework so unwarranted changes can be prevented that could disrupt access control.
- Broken Authentication was 2nd in 2017 but now cryptographic failures has claimed that position. Formerly known as sensitive data exposure, cryptographic failure is the lack of encryption being able to protect sensitive data such as addresses, payment info, etc. These failures can stem from lack of a good virtual private network (VPN) provider or weak encryption keys and algorithms.
- In 2021 injection has moved down to the 3rd spot on the list. Even though it is no longer 1st on the list injection attacks are still occurring frequently on a daily basis. This spot is also merged with cross-site scripting (XSS) which held the 7th spot in 2017. According to (OWASP) “94% of the applications were tested for some form of injection, and the 33 CWEs mapped into this category have the second most occurrences in applications”. Injection attacks can be mitigated by implementing strong input validation.
- Occupying the 4th position is a new addition to the list called insecure design. This means that the application was not developed with security in mind leaving it open to bigger risks. Using secure design frameworks and being aware of common security design flaws can mitigate the risks of insecure design. This position on the list was formerly held by XML External Entities (XXE) in 2017 but is now merged with security misconfiguration.
- Security misconfiguration moved up from 6th on the list to the 5th. According to (OWASP) “90% of applications were tested for some form of misconfiguration”. As application become more complex and diverse this opens the door for more mistakes and opportunities for malicious actors.
- Making a jump from 9th on the list to 6th is vulnerable and outdated components. You would think this is an easy fix but many are still struggling to manage the risk of using outdated and vulnerable software. More often than not these components are apart the applications main functionality so they would rather run the risk than shut down operations.
- Identification and authentication failures has claimed the 7th spot on the 2021 list falling from the 2nd. Cross-site scripting formerly held this position. The fact that this risk is falling in rank is a good sign showing that companies are adopting secure identification and authentications frameworks. However, it will not be enough until this risk disappears from the list entirely.
- Making a first appearance on the top 10 is software and data integrity failures. This is a broader entry that includes insecure deserialization that former held this position on the list. According to (Talend) “Perhaps the most common data integrity risk is unreliable data, which decreases efficiency and productivity. Unreliable data involves duplications of records, inaccurate data, and unidentifiable origins of data. No matter how a dataset has become unreliable, it prevents organizations from making accurate decisions and leads to added operational costs”. Another common mistake made by software companies is non-compliance with regulators like GDPR; this can heavily impact your business and its integrity by repeated violations.
- In 2017 this spot was held by using components with known vulnerabilities but since that moved up in rankings, security logging and monitoring failures has claimed the 9th spot on the list moving up from the 10th. Although this type of risk is hard to identify, it leads to other failures that can impact integrity, availability, and confidentiality.
- Replacing insufficient logging & monitoring at the 10th and final spot on the list is server-side request forgery (SSRF). This type of risk is new to OWASP’s top 10 and is a type of vulnerability that is exploited when a malicious request is sent to the server and can cause it to spill confidential data.