OWASP Top 10 Vulnerabilities in 2021: How to Mitigate Them?
The OWASP Top 10 is a research-based document that raises awareness among developers, organizations, and security professionals on the most critical security risks facing web applications. The latest is the OWASP Top 10 vulnerabilities 2021, released in September 2021 after a 4-year gap.
In this article, the OWASP Top 10 vulnerabilities 2021 are explained in detail, along with ways to mitigate each.
OWASP Top 10 Vulnerabilities 2021 & Mitigating Them
Source: OWASP
1. Broken Access Control
Broken access control vulnerabilities enable attackers to gain access to user accounts, admin panels, databases, servers, sensitive information, business-critical apps, etc., and let unauthorized users perform privileged functions such as modification or destruction. Broken Access Control has moved to the top of OWASP Top 10 vulnerabilities 2021 since 94% of applications were found to have this vulnerability.
Mitigation:
Adopt a least-privileged approach
Build strong access controls using role-based authentication mechanisms
Except for public resources, deny default access to functionalities
Maintain lean servers by shutting down unnecessary services, deleting inactive and unnecessary accounts
In case of multiple access points, disable ones that aren’t necessary
Rate limit API and controller access
Sensitive data must not be stored in the root
Server directory listing must be disabled
2. Cryptographic Failures
Whether at rest or in transit, data contain sensitive information that needs extra protection. This is especially important for organizations falling under the purview of standards like PCI-DSS, GDPR, CCPA, HIPAA, etc. Some examples of cryptographic failures are storing data in plaintext, not using the latest cryptographic algorithms, improper key management, etc.
Mitigation:
Encrypt all data at rest using secure and robust encryption algorithms, keys, and protocols
Encrypt all data in transit using the latest, secure protocols like TLS
Identify and apply strong security controls on all sensitive data
Don’t collect and store sensitive data unless absolutely necessary
Don’t cache sensitive data or on data-collecting forms
Disable autocomplete on forms
Minimize the attack surface
Store passwords using robust, adaptive, and proven hashing functions
3. Injection
Injection vulnerabilities allow attackers to inject malicious/ hostile/ untrusted data/ commands/ queries into the application, leading the interpreter to take actions it is not designed for. For instance, giving access to sensitive data, arbitrary code execution, etc. Some examples of injections are SQL injections, XSS, etc.
Mitigation:
Server-side input validation is a must
Use safe APIs to avoid interpreters completely
Use intrusion detection systems to spot suspicious behavior
Use parameterized queries
Use LIMIT and other SQL controls within queries, preventing mass disclosure of records
Avoid special characters
4. Insecure Design
Entering the list at #4, this new entrant in the OWASP Top 10 web application vulnerabilities 2021 list focuses on the risks associated with design flaws that lead to poor security controls. It reflects the industry’s growing focus on creating secure-by-design apps.
Mitigation:
Integrate security right into the SDLC stages and leverage robust security practices from the early stages
Establish a library of secure design patterns, components, frameworks, etc. that are ready and safe to use for new applications
Use threat modeling for designing critical features like access controls, authentication, business logic, key flows, etc.
Include security language, concerns, and controls in all user stories
Based on exposure and protection needs, divide apps into different tiers and find use and misuse cases for each tier
Each level of the app should include plausibility tests
5. Security Misconfiguration
Security misconfiguration, representing a lack of security hardening across the stack, moved up the OWASP Top 10 2021 since 90% of applications had this vulnerability. For example, improper permissions, enabling unnecessary features, default accounts and passwords, misconfigured HTTP headers, verbose error messages, etc.
Mitigation:
Harden app security using fast, easy to deploy processes
Use preconfigured templates (with different credentials) to configure development, QA, and production identically
Maintain a library of securely configured container images
Remove unused features and services and deploy an application with minimal setup
Regularly update and patch configurations
Use automated workflows to verify secure configurations and detect misconfigurations in any environment. Remediate identified issues instantly.
6. Vulnerable and Outdated Components
This vulnerability arises from unsupported and outdated components, software, libraries, frameworks, etc. Building or using applications without the latest/ updated versions of components leaves them open to attacks.
Mitigation:
Maintain an updated inventory of all components used in the application with their versions
Continuously scan components, libraries, etc. and their dependencies for vulnerabilities
Keep all components updated. If patches aren’t immediately available, apply virtual patches
Remove unused, legacy, and outdated components, features, and dependencies from apps
Use components, software, etc. from official and trustworthy sources
7. Identification and Authentication Failures
Incorrect execution of functions related to user authentication and session management allows users to compromise security keys, passwords, etc. and exploit permissions, assume identities, and so on, permanently or temporarily.
Mitigation:
Multi-factor authentication is a must
Don’t use default credentials, especially for admin privileges
Implement a strong password policy
Deploy a secure sessions manager that generated time-limited session IDs
Monitor failed login attempts and set limits and delays on the same
Strengthen registration, credential recovery, and other authentication-related processes
8. Software and Data Integrity Failures
Entering the OWASP Top 10 2021 at #8, this vulnerability highlights the need to verify the integrity of software updates, critical data, and CI/CD pipelines. Given the rise in supply chain attacks and their massive impact, this inclusion has been made. A8: 2017 – Insecure Deserialization vulnerability is now part of this larger category.
Mitigation:
Ensure the legitimacy of software/ data/ programs and its source through digital signature or similar measures
Ensure integrity of CI/CD pipeline through strong access controls, proper configuration, and adequate segregation
Continuously review code and configurations for modifications
Ensure that libraries and dependencies use trusted repositories. You can host an internal, approved, and known repository if your risk profile is higher
Unencrypted serialized data must not be delivered to untrustworthy clients, so incorporate integrity checks
9. Security Logging and Monitoring Features
This OWASP Top 10 vulnerability 2021 concerns the application’s weaknesses in detecting and responding to security risks. Given that the time taken to attack detection is 197 days on average, attackers have a long enough window to do their bidding.
Mitigation:
Use readily available logging and audit software that helps in instant detection of suspicious activities
Ensure the logs are contextual and available in compatible formats for in-depth forensic analysis
Enforce security controls that help prevent the tampering of log data
10. Server-Side Request Forgery
This vulnerability ranked #1 in the OWASP Top 10 Community Survey and was included in the 2021 list. This vulnerability allows users to access data from remote resources based on user-specified, unvalidated URLs. Even firewall/ VPN-protected servers are prone to these vulnerabilities if unvalidated user inputs are accepted.
Mitigation:
Enforce user-input validation and sanitization
Remote resource access functionalities, if any, must be isolated in a separate impact
Block unwanted incoming traffic using deny-by-default firewall policies
Ensure clients don’t get raw responses
Build a positive allow list for port, destination, and URL schema