What is OWASP

What is OWASP

A non-profit organization devoted to enhancing software security is called OWASP (Open Web Application Security Project). It follows a "open community" concept, which permits anybody to take part in and make contributions to online chats, projects, and other OWASP-related activities. The OWASP works to keep its services accessible and free through its website for anything from forums and events to online tools and videos.

What is OWASP

What is OWASP (Open Web Application Security Project)?

A non-profit organization devoted to enhancing software security is called OWASP (Open Web Application Security Project). It follows a "open community" concept, which permits anybody to take part in and make contributions to online chats, projects, and other OWASP-related activities. The OWASP works to keep its services accessible and free through its website for anything from forums and events to online tools and videos. 

What is OWASP in cyber security and it’s Top 10 significant security risk and how is it used?

The OWASP has maintained its Top 10 list since 2003, revising it every two to three years to reflect developments and shifts in the AppSec sector. The list's value comes from the useful advice it offers, which many of the biggest companies in the world use as a checklist and internal standard for developing online applications. 

Auditors frequently interpret a company's failure to address the OWASP Top 10 as a sign that it could not be meeting other compliance requirements. On the other hand, including the Top 10 into the software development life cycle (SDLC) shows a company's general dedication to industry best practices for secure development. 

OWASP Top 10 security risks, 2021 

  1. A01:2021 Broken Access Control: By elevating their own permissions or in some other method, attackers can get around access barriers thanks to these flaws. Unauthorized users can access data or systems using this strategy. There were more instances of the 34 Common Weakness Enumerations (CWEs) assigned to Broken Access Control than any other category in apps.  
  2. A02:2021 Cryptographic failures: These risks arise when cryptographic techniques are not properly used to protect data. These vulnerabilities include the use of outdated encryption ciphers, improperly implemented encryption protocols, and other issues related to encryption controls.  A new focus here is on cryptographic bugs that often lead to sensitive data leaks and system compromise. 
  3. A03:2021-Injection: These vulnerabilities allow an attacker to inject data into an application containing malicious commands, redirect data to a malicious website, or modify the application itself. The most common type of error, Structured Query Language Injection, remains an important vector for attacks. To resolve injection attacks, all untrusted data, especially data submitted by end users, must be explicitly authenticated.
  4. A04:2021-Insecure Design: A new category for 2021 focused on risks associated with design flaws. Risks in this category arise from design flaws in the system architecture. These problems arise when applications are developed around insecure processes. For example, these problems occur when applications are developed with insecure authentication processes, or when websites are not designed to prevent bots. 
  5. A05:2021-Security Misconfiguration:  Security misconfigurations are design or configuration weaknesses resulting from errors or omissions in configuration. In the previous edition; 90% of the applications were tested for some kind of misconfiguration. It's no surprise that this category is on the rise as we move towards highly configurable software.
  6. A06:2021-Vulnerable and Outdated Components: Components with known vulnerabilities, such as CVEs that should be identified and patched, while assessing the viability of outdated or malicious components and the risks they may pose need to do it. These issues can occur if the underlying operating system or program interpreter has not been patched. Outdated APIs and software libraries can also cause these problems in your application. 
  7. A07:2021-Identification and Authentication Failures: These vulnerabilities include authentication issues that allow credential stuffing and brute force attacks. This category also includes applications that do not use multi-factor authentication and do not invalidate expired or inactive user sessions. If implemented improperly, attackers can compromise passwords, keywords, and sessions, leading to things like user identity theft. 
  8. A08:2021-Software and Data Integrity Failures: This is a new category for 2021 focused on software updates, critical data, and CI/CD pipelines used without integrity verification. One of the most weighted impacts from Common Vulnerability and Exposures/Common Vulnerability Scoring System (CVE/CVSS) data associated with 10 CWEs in this category. For example, problems can occur if a digital signature is not used when installing software updates. This category will be expanded in 2021 to include an unsafe deserialization category. 
  9. A09:2021-Security Logging and Monitoring Failures: These vulnerabilities occur when systems are not properly monitored to detect and respond to attacks and logs are maintained for these events. This category has been expanded to include more types of errors, are harder to test, and are not well represented in CVE/CVSS data. However, failures in this category can directly impact visibility, incident alerts, and forensics. 
  10. A10:2021-Server-Side Request Forgery: Applications should perform proper validation of user-provided resources to prevent these attacks. Server-Side Request Forgery (SSRF) can occur when a web application requests a remote resource without validating the user-provided URL. This allows an attacker to force an application to send crafted requests to unexpected destinations, even if the system is protected by a firewall, VPN, or additional network access control list.

Is your web application secure enough? Think again!  We can help you to identify the information security gaps in Your web application for more details contact us.

Connect with us.
ANA Cyber Forensic Pvt. Ltd. 
Mobile – 09011041569 
Email: info@anacyber.com

phone Email