What is OWASP?
OWASP (Open Web Application Security Project) is a non-profit organization that focuses on improving website security. They provide open-source software development programs, projects, toolkits, conferences, articles, videos, forums, methodologies, documentation and technologies for their community.They provide all these tools and knowledge free and easily accessible to anyone interested in website security. One of their most important projects is the OWASP top ten.Before OWASP, there were not many tools or knowledge available about cybersecurity. With OWASP, the community started to learn how to protect against vulnerabilities, how to strengthen software encryption and how to reduce the amount of bugs in their code.
What is the OWASP top ten?
The OWASP top ten is a document listing the top ten most critical vulnerabilities in Web site security. It shows the risks, impact and countermeasures. This list was created by website security experts from around the world. The weaknesses are ranked according to the severity of the weaknesses, the frequency of security risks discovered and the magnitude of the potential impact.OWASP recommends that all companies incorporate the findings of this document into their website security process to mitigate security risks. The OWASP top ten is updated every three to four hours. The last OWASP top ten was released in 2017, they also recently released a draft of the OWASP top ten 2021.Since the last OWASP top ten, some things have changed. There are three new categories. Four categories have changed names or scoping and some categories are combined now. The OWASP top ten 2021 weaknesses are:
- Broken access control
- Cryptographic errors(was: Sensitive data exposure)
- Injection
- Uncertain design (new)
- Security Misconfiguration
- Vulnerable and obsolete components(was: Using components with known weaknesses)
- Identification and authentication errors(was: Broken authentication)
- Software and data integrity errors (new)
- Errors in logging and checking security(was: Insufficient logging and checking)
- Forgery of server-side requests(new)
Each weakness is explained with an example and OWASP recommendations.
The top ten OWASP weaknesses of 2021
Cryptographic errors
What is it:
Cryptographic errors is compromised data that should have been protected. This is certainly a problem for data covered by privacy laws.
Examples:
- Passwords
- Credit card numbers
- Medical information
- References
- State registry numbers
- Personally identifiable information
- Other personal information
- Trade secrets
OWASP recommendations:
- Classify data used by an application and identify which data is sensitive.
- Do not store sensitive data unnecessarily.
- Encrypt all sensitive data that is not being used. Encrypt all data in transit with secure protocols. Use authenticated encryption.
- Use proper key management. Generate keys cryptographically, randomly and stored in memory as byte arrays.
- Disable caching for responses that contain sensitive data.
- Apply the required security measures according to the data classification.
- Do not use older protocols such as FTP and SMTP for sensitive data.
- Use strong adaptive and "salted" hashing functions with a work factor to store passwords.
- Choose intialization vectors for the appropriate operating mode.
- Use cryptographic randomness where appropriate, in a non-predictable manner with low entropy.
- Avoid deprecated cryptographic functions and "padding" schemes.
- Verify the effectiveness of the configuration and settings independently.
Injection
What is it:
This weakness happens when a Web application receives invalid data from a hacker to make the application do something it was not programmed to do.
Example:
SQL injection is one of the most well-known injection minuses. SQL injection is a consequence of using untrusted data when constructing a vulnerable SQL call.The lack of validation and cleansing of the data used by Web applications makes data untrustworthy. This means that code injection weakness can be present in all kinds of technology related to Web sites.
OWASP recommendations:
- Keep data from commands and queries separate.
- Use a secure API as the preferred option.
- Use positive or "whitelist" server-side input validation.
- Escape from special characters thanks to a specific escape syntax.
- Use LIMIT and other SQL controls in queries.
Uncertain design (new)
What is it:
Uncertain design means control design that is lacking or ineffective. Uncertain design and uncertain implementation are not the same thing. They have different causes and remedies.
Example:
Failure to establish the required level of security design is an example of uncertain design.
OWASP recommendations:
- Implement requirements and resource management, secure design and development lifecycle.
- Implement a secure development lifecycle to help establish privacy and security controls.
- Use a library of safe design patterns or ready-to-use components.
- Use threat modeling for critical authentication, business logic, access control and key flows.
- Integrate security language and controls into user stories.
- Integrate plausibility checks at every level of your application.
- Write unit and integration tests to confirm that all critical flows can withstand the risk model. Create use cases and misuse cases.
- Separate layers of the system and network layers. Segment "tenants" at all levels by design.
- Limit resource usage per user or service.
Security Misconfiguration
What is it:
Security misconfiguration weakness happens when an application does not have a common, repeatable configuration process for application security. It can be attacked by trying as many combinations as possible.
Example:
One of the most well-known Web site weaknesses is maintaining the CMS default configuration.
OWASP recommendations:
- Implement secure installation processes:
- Automate a "hardening" process.
- Implement a different environment that is well locked down.
- Remove unused frameworks and features.
- Check and update configurations applicable to all updates, security notices and patches.
- View storage permissions for the cloud.
- Implement a segmented application architecture, with containerization, segmentation or cloud security groups.
- Send security guidelines to customers.
- Implement an automated process to monitor the effectiveness of setting and configurations.
Vulnerable and obsolete components
What is it:
Nowadays even simple websites have many weaknesses. If you don't update every piece of software on your website, your website will have security risks on your website.
OWASP recommendations:
- Implement a patch management process:
- Remove unused dependencies.
- Inventory both server-side and client-side components and their dependencies.
- Monitor the most commonly known causes of weaknesses.
- Obtain components only from official sources.
- Check components and libraries that are not maintained or do not have security patches for older versions.
- Provide an ongoing plan for triage, monitoring and applying configuration changes or updates for the life of the application.
Identification and authentication errors
What is it:
A broken authentication weakness can be attacked by automatic or manual methods. That way, the attacker can gain control over any account they want or even the entire system.
Examples:
- Incorrect validation of certificate with host mismatch
- Improper authentication
- Session fixation
OWASP recommendations:
- Implement multi-factor authentication wherever possible.
- Do not deploy or ship with standard references.
- Align password complexity length and rotation policies with evidence-based password policies.
- Use the same messages for all results to ensure that your registration, login recovery and API paths are hardened against account inventory attacks.
Software and data integrity errors (new)
What is it:
Software and data integrity flaws are weaknesses related to code and infrastructure that are not protected against integrity violations.
Examples:
- When plugins, libraries, modules from repositories, untrusted sources or content delivery networks are used in the application.
- When there is an uncertain pipeline, it can introduce malicious code, system breach or unauthorized access.
- Updates are downloaded without sufficient integrity verification and applied to the previously trusted application.
- ...
OWASP recommendations:
- Use digital signatures or similar mechanisms.
- Make sure dependencies and libraries use reliable repositories.
- Verify that components have no known weaknesses by ensuring that a supply chain security tool is used.
- Make sure there is a review process for configuration and code changes to reduce the chance of malicious code.
- Ensure the pipeline has configuration, segregation and access control to ensure code integrity.
Errors in logging and checking security
What is it:
Security log and monitoring errors occur with inadequate logging, detection and monitoring. Without adequate logging and monitoring, breaches cannot be detected.
Examples:
- Controllable events are not recorded.
- Warnings and errors generate unclear or no log messages.
- Application and API logs are not monitored.
- Logs are stored only locally.
- Appropriate alert and response escalation processes have not been implemented.
- Penetration testing and scans with dynamic application security testing tools do not trigger alerts.
- The application cannot detect active attacks in real time.
OWASP recommendations:
- Ensure that all errors related to access control, login and validation of server-side input can be recorded with sufficient user context.
- Ensure that logs are generated in a format that can be easily used by log management solutions.
- Prevent attacks on logging or monitoring systems by properly encrypting log data.
- Prevent manipulation or deletion by ensuring that high-value transactions have an audit trail with integrity controls.
- Establish effective monitoring and alerting.
- Establish a plan for incident response and recovery.
Forgery of server-side requests (new)
What is it:
An attacker can send a crafted request with the application when a Web application retrieves an external resource without validating the URL provided by the user.
OWASP recommendations:
- Reduce the impact of server-side request forgery. Segment remote resource access functionality into separate networks.
- Enforce "default deny" for firewall policies or network access control rules. Block all but essential traffic.
- Disinfect and validate all client-supplied input data. Use a positive allow list to enforce the URL scheme, port and destination. Do not send raw responses to clients. Disable HTTP redirects. Be aware of URL consistency.
- Do not implement other security services relevant to front-systems.
- Use network encryption on independent systems for frontends with dedicated and manageable user groups.
Discover our Jimber Web Application Isolation
The Jimber Web Application Isolation protects your enterprise applications by using a container. Your data is interpreted in the container and only a graphical visualization of the data reaches the end user. Attackers can only communicate with the Jimber layer and no longer with the APIs of the application. In this way, any danger is eliminated.Our Web Application Isolation meets the highest requirements and ensures website security.The Jimber Web Application Isolation mitigates many of the OWASP top ten weaknesses of 2021. Some weaknesses can be explained in more detail.Keep in mind that Jimber Application Isolation works on top of your current security measures. It cannot stop every possible vulnerability on its own. However, it will reinforce existing security measures and provide a strong additional layer of protection.
Broken access control
Since application isolation does not work within the app itself, we cannot prevent broken access controls. However, screen recording can show who used the access control.
Cryptographic errors
Our application isolation is not a protection against sensitive data leakage. However, the use of screen recording does make it possible to track the data accessed by the user.
Injection
By restricting user access to APIs, our Web App Isolation can prevent most injection opportunities. It also prevents buffer overflow attacks. Frontend protection / input control is now security.We cannot completely prevent XSS. However, we can prevent XSS from accessing external resources to prevent data leaks. We can also detect anomalies in data traffic. Furthermore we scan URLs for scripting. Furthermore we can scan URLs for scripting.
Security Misconfiguration
We do not allow XML to be sent directly to the backend service. This makes XXE almost impossible.The area for security misconfigurations becomes much smaller, because optical security is security.
Vulnerable and obsolete components
Many vulnerable and obsolete components are exploited by directly accessing APIs. This particular angle of attacking vulnerable and obsolete components becomes impossible with Jimber Web Application Isolation.
Identification and authentication errors
By applying oAuth or public/private key authentication to your SaaS application or intranet, we can protect authentication with the best possible security.
Read more about the 2021 OWASP top 10 on their website: https://owasp.org/Top10/