OWASP Names a New Top Vulnerability for First Time in Years | eSecurityPlanet – eSecurity Planet

owasp ProxyEgg OWASP Names a New Top Vulnerability for First Time in Years | eSecurityPlanet - eSecurity Planet

OWASP security researchers have updated the organization’s list of the ten most dangerous vulnerabilities – and the list has a new number one threat for the first time since 2007.

The last update was in November 2017, and the latest draft is available for peer review until the end of the year.

The Open Web Application Security Project (OWASP) is a nonprofit foundation and an open community dedicated to security awareness. The respected OWASP top ten list is often used as a coding and testing standard, and many platforms also use it to set and adjust bug bounties.

OWASP teams update the curated list every three or four years to reflect the current threat and web application landscape. Interesting shifts happened in the rankings this year, and a new leader isn’t the only change.

Many entries are broad categories that contain various CWEs (common weakness enumerations, typically errors that can lead to vulnerabilities) and CVEs (common vulnerabilities and exposures, or specific instances of a vulnerability within a product or system). Those flaws are documented by MITRE, a government-funded organization that administers the CVE Program, which is meant to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities.

A New Top Vulnerability

The number one security risk is no longer injection. Broken access control vulnerabilities are now at the top of the list, followed by cryptographic failures, with injection dropping to third place.

Broken access control breaches happen every time attackers gain unauthorized access to content, files, and functions. 34 CWEs are mapped to broken access control. Whether it’s a misconfiguration or a flawed access control scheme in the application, hackers love such vulnerabilities as they’re not so challenging to discover and exploit. The damages can be massive. They might gain access to sensitive files or impersonate a user with high privileges to perform harmful actions. They can even deface the entire site in some cases.

Access control issues are often discovered when performing penetration tests. The most common mistakes are:

  • Bad practices in code such as unverified data, unprotected cookies
  • Insecure authentication process such as flawed account recovery or password reset, or insecure session tokens
  • Misconfigurations such as wrong CORS rules
  • Unprotected API endpoints such as no rate limit
  • No defense against directory traversal. For example, if you use <img src=”/getImages?filename=image12.png”>, hackers will try something like https://yourwebsite.com/getImages?filename=../../../etc/passwd

Those vulnerabilities are quite frequent, and implementing secure access control can be challenging.

Further reading: How to Defend Common IT Security Vulnerabilities

The Full OWASP List

In the draft 2021 list, many entries have been moved, and new categories have been added. We’ve marked them as moving up (▲), down (▼) or new to the list.

  1. Broken Access Control (▲): When hackers gain unauthorized access to content and functions.
  2. Cryptographic Failures (▲): Previously known as “Sensitive Data Exposure.” As the name suggests, it focuses on weak cryptography.
  3. Injection (▼): Hackers trick the interpreter into executing unwanted commands. For example, it happens with unescaped SQL calls (such as SELECT * FROM users WHERE email = $_POST[’email’]).
  4. Insecure Design (new): Apps should integrate security in the earliest stages, including the design step, and in all processes.
  5. Security Misconfiguration (▲): Installations often remain insecure (missing hardening, wrong permissions) because of the numerous parameters and options.
  6. Vulnerable and Outdated Components (▲): previously “Using Components with Known Vulnerabilities.” Outdated applications are often weak.
  7. Identification and Authentication Failures (▼): Previously “Broken Authentication.” Those vulnerabilities are often due to bad practices in code or missing multi-factor authentication.
  8. Software and Data Integrity Failures (new): Includes “Insecure Deserialization” from 2017 and many critical CWEs. It focuses on software updates and CI/CD pipelines.
  9. Security Logging and Monitoring Failures (▲): Previously “Insufficient Logging & Monitoring.” When logging and monitoring are missing or insufficient, web apps are easier to compromise.
  10. Server-Side Request Forgery (new): Added from a survey of industry professionals. SSRF attacks usually target internal systems behind a firewall that are not accessible from external networks. The hacker takes control of the back-end server to send forged requests.

How Devs Can Use the OWASP Top Ten

The OWASP is at the heart of web security. Developers can use the list to write more secure code, and security teams can use various tools such as the OWASP Zed Attack Proxy (ZAP) to check whether the application is secure or not.

The list is beneficial for assessing vulnerabilities. Security checklists and code reviews should not be neglected. Developers can use the top ten to define their security guidelines to ensure the code is compliant with standards and best practices for secure development.

As security risks are constantly evolving, the OWASP list is a good way to stay on top of major trends in web app security. You can even include the OWASP Zap in your CI/CD pipelines and automate tests and reports.

Implementing best practices early in a project can guarantee a much more secure design, which is critical for easier maintenance and avoiding vulnerabilities that can harm your business.

This new ranking has multiple shifts and renaming for better understanding and readability, and OWASP experts should approve the draft by the end of the year.

Further reading: Top Code Debugging and Code Security Tools

Source of this news: https://www.esecurityplanet.com/applications/owasp-list-gets-a-new-top-vulnerability/

Related posts:

DDOS Attacks Targeting Payment Services of Global Financial Institutions - Security Boulevard
A threat actor or group is actively targeting the online services of branches of global financial institutions with their headquarters located in Europe. Radware Cloud DDoS Protection Services prev...
Next Article How AI & proxies drive web scraping - computing.co.uk
As public online data acquisition becomes increasingly important to decision-making, AI, web scraping and proxies will continue to find their way into business activities. While the inclusion of AI i...
'House Of Sticks' Is An Immigrant Success Story With Filial Bonds At The Core - NPR
House of Sticks: A Memoir, Ly Tran Scribner hide caption toggle caption Scribner House of Sticks: A Memoir, Ly Tran Scribner Ly Tran's memoir House of Sticks bring...
CircleCI Adds Security, Compliance, plus Insight Enhancements with Latest Offering - Database Styles...
CircleCI, providers of the continuous integration and constant delivery (CI/CD) platform, adds to your home new insights and improved installation features to their self-hosted server solution. ...
Procaps Group Reports Record Second Quarter 2021 Financial Results - Yahoo Finance
Second Quarter 2021 Net Revenues Increased 35% to $97 Million Year-Over-Year with Adjusted EBITDA Up 28% Year-Over-Year Company Reaffirms Revenue and Adjusted EBITDA Growth Trajectory for Full Year 2...
Scientists Warn of FontOnLake Rootkit Malware Targeting Linux Components - The Hacker Story
Cybersecurity researchers have detailed a new campaign that likely targets entities in Southeast Asia with a previously unrecognized Linux malware that's engineered to enable remote access to i...
Are Decade-Old DoS Tools Still Relevant in 2021? - Security Boulevard
Surprisingly, the answer is yes. After Anonymous fell apart in 2016, the threat landscape shifted rapidly. The once mainstream group of organized Denial of Service (DoS) attacks with simple GUI-bas...
Multifactor Authentication Is Being Targeted through the process of Hackers – The New Add - thenewst...
It was not more than a matter of time. While multifactor authentication (MFA) makes taking into systems safer, this can doesn’t make it “safe. ” As well-known hacker Kevin Mitnick of KnownBe4...
Top Trends in Database Security to Watch Out for in 2021 - CIO Applications
Between January and September 2020, roughly 36 billion data got hacked, according to a report. While this conclusion is astounding, it also emphasizes the importance of following proper database secu...
What kind of a beast are Residential Proxies? - PC-Tablet
Like most proxies, residential proxies act as an intermediary between a users’ device and the internet. They transfer requests from the user to the web and responses back from the web to the user. T...
TunnelBear Review: A VPN For The Rest Of Us - Mashable India
With privacy an ongoing concern, finding ways to safeguard your data and obscure your web browsing should be easy. Virtual Private Networks (VPN) have a long history among safety-minded internet user...
The meaning of proxy server because why you should use it - Techstory
A proxy — is a server that runs between the patient and the web, encrypting actual address of a client. It can benefit to prevent cyberattacks, protecting registered users from malware and ann...
ISPs Give 'Netflow Data' To Third Parties, Who Sell It While not User Awareness Or Consent - Techdir...
from the more-of-the-same dept Back encompassing 2007 or so there was a ruckus when broadband ISPs were found to be disposing of your "clickstream" data (which sites you visit the actual long yo...
The DDoS Threat On IoT Devices Like Routers - TheNationRoar
Source: csoonline.com Storage limitations and network capacity leave simple IoT, Internet of Things, devices such as routers highly vulnerable to cyber-criminals. Distributed Denial-of-Service, DDoS ...
Fix League of Legends Error Code 003 on Windows PC - TheWindowsClub
If you are getting the League of Legends error 003 on your Windows 11 or Windows 10 gaming PC, then this post is intended to help you with the most suitable solutions to fix the error. This error usu...
Monetizing email ads will be difficult on iOS 15 - Illinoisnewstoday.com
“”Sell ​​cider“” Is a column written by the sellers of the digital media community. Today’s column is written by Chris Suptoline, Vice President of Marketing at Kebel. With the official release of i...
How To Watch Your Favorite Movies On Netflix From Anywhere - Programming Insider
There’s a lot of fantastic stuff on Netflix, but much of it is geo-blocked. The range of shows and movies you can see varies depending on your location. In certain countries, the Netflix library is ...
The Spamhaus Project - Frequently Asked Questions (FAQ) - Spamhaus
Abuse Desk Abuse Desk is the common name for the group of network administrators charged with enforcing Acceptable Use Policy/Terms of Service agree...

IP Rotating Proxy Onsale

SPECIAL LIMITED TIME OFFER

00
Months
00
Days
00
Hours
00
Minutes
00
Seconds
First month free with coupon code FREE30