OWASP Top 10 2021

360 点作者 chha超过 3 年前

19 条评论

Interesting that "broken access controls" made it into the top spot. Not sure if this anecdotal but recently I've seen many "hacks" of apps built with external BaaS & auth providers that rely on some kind of token-based authentication, either via JWT or opaque tokens. What happens is that often the providers offer good support for role-based access control but developers just plain ignore it and e.g. include tokens with global read permissions into the app code, or do not properly restrict the permissions of individual tokens, making it possible to e.g. read the whole database with a normal user token. The researcher collective Zerforschung [1] e.g. has uncovered many such incidents. That might have to do with the fact that in my experience those BaaS frameworks and other low-code tools are mostly used by teams with a strong focus on product and UI/UX, which don't have deep security expertise or the right mindset. I think overall outsourcing of aspects like authentication can be beneficial, but only if teams adopt or retain a healthy security awareness as well.[1] <a href="https://twitter.com/zerforschung" rel="nofollow">https://twitter.com/zerforschung</a>

评论 #28468470 未加载

评论 #28469148 未加载

评论 #28468501 未加载

评论 #28469590 未加载

tptacek超过 3 年前

The former category for XML External Entities (XXE) is now part of [Security Misconfiguration].Insecure Deserialization from 2017 is now a part of [Software and Data Integrity Failures] [...] focusing on making assumptions related to software updates, critical data, and CI/CD pipelines without verifying integrity.These seem like nonsense statements. XXE's aren't misconfiguration (in any sense that a myriad of other vulnerabilities aren't "misconfigurations" of libraries), and deserialization bugs aren't software update bugs (I don't even know what CI/CD is doing in that description).The OWASP Top 10 is rapidly losing coherence.It's important not to take it too seriously. For all the pantomime about survey data, there's not much real rigor to it. It's mostly a motivational document, and a sort of synecdoche for "all of web app security".The best part of this is the end, where they say "we have no data to support having SSRF on the list, but 'industry people' tell us it's too important not to". Gotta side with the industry people on that one. But maybe you can cram it into "Insecure Design" next year and be rid of it!

评论 #28480261 未加载

kingkongjaffa超过 3 年前

I had to go to the github then to <a href="https://owasp.org/" rel="nofollow">https://owasp.org/</a> to figure our what the heck OWASP even stood for!For those stumbling onto this:The Open Web Application Security Project® (OWASP) is a nonprofit foundation that works to improve the security of software.

评论 #28474114 未加载

评论 #28468818 未加载

freeqaz超过 3 年前

For the "broken access controls", "cryptographic failures", and "bad design" categories, I've been working on an open source project to help mitigate those.It's still early and I haven't released it yet, but I have the docs[0] deployed now. If anybody feels like helping us test this early, I'd love some feedback. We're going to be pushing the code live in a week or so. (It's been a lot of building for a while now)I've been thinking about these problems for a while now (as a security engineer) and it's cool to see that my intuition is roughly in line with what OWASP is seeing these days. It's always hard to know if the problems you see people struggling with are representative of the industry as a whole, or if you're just in tunnel vision.Note: We're building this as a company so that we can actually afford to continue doing this full time. I'm still learning how to find the line between open source and a viable business model. Any thoughts would be appreciated[1]!0: <a href="https://www.lunasec.io/docs/" rel="nofollow">https://www.lunasec.io/docs/</a>1: email me at, free at lunasec dot io

评论 #28468507 未加载

评论 #28468133 未加载

plasma超过 3 年前

New to the list is Server-Side Request Forgery (SSRF), where you trick the remote server to fetch a sensitive URL on an attackers behalf (eg, internal service or cloud metadata URL from the context of an internal server), a language-agnostic defense is using something like Stripe's Smokescreen [1] which acts as a SOCKS proxy your app connects to when requesting URLs that should be quarantine'd, and it does the enforcement of access to internal/external IPs or not.[1] <a href="https://github.com/stripe/smokescreen" rel="nofollow">https://github.com/stripe/smokescreen</a>

评论 #28469291 未加载

评论 #28468671 未加载

评论 #28467732 未加载

评论 #28467733 未加载

评论 #28468903 未加载

评论 #28467901 未加载

评论 #28469845 未加载

评论 #28468909 未加载

raesene9超过 3 年前

Some interesting changes in the Top 10 this time around and in general, I think they're good changes.It does suffer a little bit though from some of the entries being quite wide ranging and non-specific, which I think could leave people scratching their heads about exactly what's involved.I'm glad to see that monitoring and logging is still included as, in many years as a web app pentester, it was really common to see no application level detection and response to security attacks.

评论 #28467721 未加载

querez超过 3 年前

The homepage does a very poor job of giving any context, so for those who (like me) who have no clue what they're looking at: This list represents a broad consensus about the most critical security risks to web applications. See <a href="https://owasp.org/www-project-top-ten/" rel="nofollow">https://owasp.org/www-project-top-ten/</a> for more details (OWASP = "Open Web Application Security Project").

评论 #28468738 未加载

评论 #28470521 未加载

dspillett超过 3 年前

I'm not sure server-side request forgery needs to be its own category where request forgery covers things from all sides.Server-side attacks are more common as systems get more complex and have many moving parts that need be able to trust each other (in microservice architectures for instance), but failing to account for forgery at all levels is more a security-in-depth failure (fitting in the new very vague “insecure design” category?).Unless I'm misunderstanding what is being meant here, which is far from impossible!

评论 #28468326 未加载

DiffEq超过 3 年前

Notice the Venn Diagram at the bottom of the page. If you were going to put money in a security solution you would do your best work if you made sure your security related configurations were correct and remained in place. (Least privilege configuration and Change Control). It affects every other category except injection and known vulnerabilities. So then you would make sure you had good life cycle management and patch management to address the issues with software vulnerabilities and then make sure you use Prepared Statements (with Parameterized Queries) or properly constructed Stored Procedures. This is where your focus and money should go before you start doing anything else.

Ekaros超过 3 年前

Seems like this is still a draft and release will be later this month. Still specially design and CI/CD seem good points to include from security professional's perspective.

benfrancom超过 3 年前

Another data point referenced in InfoSec circles is the "Verizon Data Breach Investigations Report"<a href="https://www.verizon.com/business/resources/reports/dbir/" rel="nofollow">https://www.verizon.com/business/resources/reports/dbir/</a>

valgor超过 3 年前

It says "CWE" a lot, but does not say what a "CWE" is. Anyone know?

评论 #28471305 未加载

cedricbonhomme超过 3 年前

Nice, thank you for this list!It is now possible to import these items in the MONARC security assessment software:<a href="https://objects.monarc.lu/schema/14" rel="nofollow">https://objects.monarc.lu/schema/14</a> ;-)

ludovicianul超过 3 年前

I'm honestly happy I see "Insecure Design" into the list. With all the buzzwordy Agileness people often forget that (at least) high level design is important and brings a lot of value if done early on.

Macha超过 3 年前

I wonder which one the "REST endpoint just JSON serializes and spits out the whole database row" problem falls under now? I previously thought sensitive data exposure included this case.

Yuioup超过 3 年前

Is there a hi-res version of the "2017 vs the 2021" image? I'd like to share it with my colleagues.[Edit] Same goes for the other images such as the Venn Diagram.

评论 #28468628 未加载

makach超过 3 年前

Wow! Great job! Readability is extremely important! By making it easier to see what the current major threats are will make us more focused and secure in the long run!

laurent123456超过 3 年前

Should be the full title: "Introduction to OWASP Top 10 2021", because it's specifically about the new top 10 this year.

评论 #28467589 未加载

1cvmask超过 3 年前

Authentication and Broken Access Controls are two separate categories. I would have put authentication as a subset of Broken Access Controls. At saas pass we see authentication and mfa as a subset of identity and access management and the access controls.