Applications contain several high-risk vulnerabilities that can be easily exploited by hackers. A lousy approach to security will lead to disastrous consequences. If you choose the wrong mobile security strategy, your customers will lose trust in your business. Attackers take advantage of different types of vulnerabilities: weak server-side controls, insecure data storage, insecure data exchange, vulnerable third-party components, etc. The number of new vulnerabilities has been increasing steadily in recent years. Vulnerability management is a continual process that involves risk detection and creating a plan to prevent future damage.
Organizations should bolster their defenses to prevent the exploitation of old and new vulnerabilities. OWASP (Open Web Application Security Project) is a non-profit organization that aims to improve software security. OWASP developed the Top 10 to guide enterprises on security best practices to protect their applications from vulnerabilities. It is an open community project that updates the list regularly as the threat landscape keeps evolving. This article will walk you through the revised OWASP top 10 vulnerabilities for 2022 list for enterprises to tackle security concerns in the coming years.
OWASP Top 10 Vulnerabilities 2022
OWASP updates the list every two or three years to keep up with the evolving threat landscape. OWASP has adopted a data-driven approach to create this new list. The updated list highlights ten vulnerabilities most likely to affect enterprises in the coming years. AppSec researchers find new vulnerabilities and test them before including them in the list. OWASP list was last published in 2017. It was recently updated in Q4 of 2021. The updated list contains three new categories, four categories with naming and scoping changes, and some consolidation. We will go through the critical changes introduced in the revised list.
What has changed in the Top 10 for 2021-2022?
- A01: 2021-Broken Access Control: Broken Access Control was fifth in the 2017 list. It has taken the first position in the category with the most serious web application security risk. Data suggests that more than 318k occurrences of CWEs in 3.81% of applications tested belong to this risk category.
- AO2: 2021- Cryptographic Failures: Cryptographic Failures were in the third position previously known as A3:2017 – Sensitive Data Exposure. It has now moved up to the second position. Sensitive Data Exposure has been changed to Cryptographic Failures to cover all security risks arising from poor cryptography.
- A03:2021-Injection – Injection has moved to the third position in the revised list. This list has included Cross-site scripting as a part of the Injection category. The incidence rate stood at 19% in 94% of the applications tested for injection. The 33 CWEs mapped into this category were observed to have 274k occurrences in applications.
- A04:2021 – Insecure Design – Insecure design is a new addition to the 2021 list and covers risks related to design flaws. Secure design patterns and principles and reference architectures are of paramount importance along with more threat modeling.
- A05:2021 – Security misconfiguration – Security misconfiguration was in the 6th position in the 2017 list. The new list has this category moved up to the 5th position. Data suggested that around 90% of the applications had some kind of misconfiguration. The average incidence rate stood at 4.5% and over 208K occurrences of CWEs were mapped to this risk category. A4:2017-XML External Entities (XXE) in the previous list is now part of this risk category.
- A06:2021 – Vulnerable and Outdated Components – Previously known as ‘Using Components with Known Vulnerabilities’, this category has moved to the 6th position from the 9th position. It is the only category with no CVEs mapped to the included CWEs.
- AO7: 2021 – Identification and Authentication Failures: Known as Broken Authentication in the 2017 list and previously in the second position, this category is now in the seventh position. It covers all CWEs associated with identification failures.
- AO8: 2021 – Software and Data Integrity Failures: This new addition to the 2021 list focuses on assumptions related to critical data, software updates, and CI/CD pipelines. This category also includes A8:2017-Insecure Deserialization from the previous list.
- A09: 2021 – Security Logging and Monitoring Failures – Previously called Insufficient Logging and Monitoring, this category has moved up from the tenth position to the ninth position. The category currently includes more failures that affect incident altering, visibility, and forensics.
- A10: 2021 – Server-Side Request Forgery – This is a new addition to the Top 10 community survey. This category has been added as it represents risks that need to be addressed though they are not illustrated in the data at this point.
Crucial details on the new Top 10 Vulnerabilities list
OWASP created the new list by focusing on the root cause of CWEs. The updated list is beneficial for training as companies can focus on CWEs applicable to their language/framework. 8 out of 10 categories in the list were formed on the basis of data collected. The rest two categories are formed on the basis of the Top 10 community survey.
OWASP Top 10 vulnerabilities 2022 is a result of naming modifications, scoping, and consolidation. Let’s have a look at the vulnerabilities one by one and the solutions to address these vulnerabilities.
1. Broken Access Control
Broken Access Control is a weakness where attackers gain access to user accounts. The attacker operates as a user or administrator in the system and gains access to unauthorized data and sensitive files. Broken access control flaws can help hackers change user privilege settings. Access to an admin panel, website’s control panel, a server via FTP / SFTP / SSH, restricted applications on your server, and access to a database are examples of broken access control.
This vulnerability can be addressed in the following ways:
- Implement interactive application security testing solution to detect cross-site forgery or insecure storage of sensitive data
- Conduct penetration testing to supplement IAST activities
- Delete accounts that are no longer active
- Conduct regular audits and test access controls
- Use a proper session management method
2. Cryptographic Failures
Cryptographic Failures occur when stored or transmitted data is compromised in some way.
Credit card fraud or identity theft is often the result of cryptographic failures. Cryptographic failures occur when data is transmitted in plain text or outdated algorithms are used. Insecure key management and rotation techniques are also responsible for cryptographic failures.
Solutions to address this vulnerability are as follows:
- Turn off autocomplete on forms that collect data
- Reduce the size of the data surface area
- Use data encryption when data is in transit and at rest
- Employ the most advanced encryption methods
- Deactivate caching on data-collecting forms
- Utilize vital hashing functions when saving passwords
3. Injection
Injection vulnerabilities refer to injecting hostile data into the interpreter via SQL, OS, NoSQL, or LDAP injection. Injection attacks trick the interpreter into prompting the application to generate unintended commands or exhibit behaviors that the application is not originally designed for. Applications accepting parameters as input are susceptible to injection attacks. The following approaches can be used to prevent injection attacks:
- Include SAST and IAST tools in CI/CD pipeline
- Separate commands from data to avoid unnecessary command execution arising from exposure to attacks.
- Use parameterized queries
- Use a safe API instead of an eliminator
- Employ server-side validation and intrusion detection system to identify suspicious client-side behaviors
4. Insecure Design
Insecure Design refers to all flaws related to poor control design. This category covers threat modeling, secure design patterns, and reference architectures.
Solutions to address Insecure Design:
- Employ a safe development lifecycle
- Create a library of ready-to-use secure design patterns
- Integrate plausibility checks into each level of the application
- Deploy threat modeling for crucial authentication, access control, business logic, and key flows
- Restrict consumption of user and service resources
5. Security Misconfiguration
Security misconfiguration is the most common vulnerability among the top 10 vulnerabilities. Accepting insecure default settings, incomplete configurations, wordy error messages containing sensitive information and misconfigured HTTP readers are responsible for security misconfiguration.
Solutions to address security misconfiguration:
- Use templates that in line with the organization’s security policies
- Use segmented application architectures to reduce risk
- Eliminate unused features and services
- Conduct continuous monitoring of cloud resources, servers, and applications to detect security misconfigurations.
6. Vulnerable and Outdated Components
Open source components may contain vulnerabilities that pose a major threat to the security of the application. Vulnerable components are often the root cause of a data breach.
Solutions to minimize risk from vulnerable and outdated components:
- Components that are a part of company frameworks should be under configuration management.
- The scanner should be able to identify all the components that need to be monitored
- Automate patch management workflows to reduce the operational risk related to patching
- Conduct scanning against a vulnerability database enriched with threat intelligence data
7. Identification and Authentication Failures
Attackers compromise passwords, session tokens, or security keys when applications incorrectly execute functions related to session management or user authentication. This leads to stolen user identity. Identification and authentication failures can also risk the security of other assets within the same network.
Solutions to address identification and authentication failures:
- Employ multi-factor authentication
- Users with admin privileges should not use default credentials
- Assess all failed login attempts
- Deploy a secure session manager and don’t include session IDs in URLs.
8. Software and Data Integrity Failures
Software and data integrity failures happen when the code and infrastructure are incapable of protecting against integrity violations. Malicious code and unauthorized access are the risks associated with this vulnerability. Programs containing plugins, libraries, or modules from untrusted sources are susceptible to integrity failures. The auto-update capabilities result in updates being implemented without necessary integrity checks.
Solutions to address software and data integrity issues:
- Implement digital signatures to ensure the program has not been tampered.
- Ensure the implementation of a review procedure for code and configuration modifications.
- Verify whether the libraries and dependencies are using trusted repositories.
- Check whether your CI/CD pipeline includes adequate segregation, configuration, and access control.
- Do not let unencrypted data pass to untrustworthy clients without some kind of integrity check.
9. Security Logging and Monitoring Failures
Logging and monitoring failures leave an application vulnerable to attacks. Logins and failed logins, if not logged and monitored, will give rise to a vulnerable application.
Solutions to address security logging and monitoring failures
- Perform penetration testing to study test logs and detect possible shortcomings
- Generate logs in a format that log management solutions can easily consume
- Verify whether high-value transactions have an audit trail to prevent tampering
- Implement an alerting and monitoring mechanism to detect suspicious activities
- Encode all log data correctly
10. Server-Side Request Forgery
This is often a result of an application fetching a remote resource without validating the user-supplied URL. Complex architectures and increasing use of cloud services have led to server-side request forgery in recent years.
Solutions to address server-side request forgery:
- Enforce “deny by default” firewall policies
- Establish ownership and lifecycle for firewall rules based on applications
- Log all accepted and blocked network flows on firewalls
- Sanitize client-supplied input data
- Ensure URL consistency
Final Thoughts
The 2021 list contains several additions that can make applications more resistant to cyber-attacks. Following the best practices in the OWASP Top 10 list will prevent possible financial and reputational losses. OWASP Top 10 is a regularly-updated report that addresses security concerns. The revised list contributes to stronger encryption, reduced rate of operational failure, and increases the potential for application success.
OWASP helps developers assess security risks and ways to fight them efficiently. The introduction of new categories in the revised list stresses the importance of security right from the design process. OWASP contributes to a more robust network and improves the enterprise’s cyber resilience.
Appsealing specializes in mobile app security solutions to provide robust protection for Android, iOS, and Hybrid apps. With expertise spanning fintech, gaming, O2O, and ecommerce industries, we offer zero-coding, scalable protection to apps with advanced threat analytics on attack vectors. We ensure easy-to-use compatibility with third-party tools alongwith providing real-time runtime protection. Get in touch with us today to leverage robust code protection with zero impact on app performance.