Understanding the OWASP Top 10: Key Web Application Security Risks for 2021

John Wagner introduces a new video series on the OWASP Top 10, which is the Open Web Application Security Project's list of the most critical security risks for 2021. This list is updated approximately every three to four years, with the last update occurring in 2017.

Wagner emphasizes that the OWASP Top 10 serves primarily as an awareness document rather than a strict security standard. He advises organizations to use it as a guideline while noting that their specific security concerns may differ. For a more rigorous security standard, he recommends the Application Security Verification Standard (ASVS), also provided by OWASP.

In discussing the methodology behind the 2021 OWASP Top 10, Wagner notes that this version is more data-driven than previous iterations, with eight of the ten categories based on data collected from various organizations and two derived from surveys. This approach marks a shift from past methods where a fixed set of approximately 30 Common Weakness Enumerations (CWEs) was used.

Wagner explains that the CWE, managed by the MITRE organization, is a community-developed list of software and hardware weakness types. In previous iterations, OWASP would solicit feedback on a prescribed set of CWEs, but for the 2021 version, they opened the data collection process to allow for a broader range of CWEs to be considered, reflecting a more comprehensive view of application security risks.

The number of Common Weakness Enumerations (CWEs) increased significantly from about 30 to nearly 400 in the 2021 version, indicating a substantial expansion in the scope of vulnerabilities that need to be analyzed.

The discussion distinguishes between root cause CWEs, such as cryptographic failures and security misconfigurations, and symptom CWEs, like sensitive data exposure and denial of service issues. OWASP aimed to focus on identifying and addressing root causes whenever possible.

OWASP published a call for data and received contributions from various organizations involved in security testing, including bug bounty vendors. This collaboration resulted in a comprehensive dataset encompassing over 500,000 applications, marking it as the largest application security dataset OWASP has ever analyzed.

In generating the top ten list, OWASP analyzed the collected data by examining the exploitability of security risks and their potential impacts. This involved assessing how easily vulnerabilities could be exploited and the technical consequences of these security risks.

The 2021 OWASP Top Ten list introduced three new categories compared to the 2017 version, along with four categories that underwent naming and scoping changes. Additionally, some categories from the 2017 list were consolidated in the 2021 update.

The top ten vulnerabilities identified in the 2021 OWASP list are: 1) Broken Access Control, 2) Cryptographic Failures, 3) Injection, 4) Insecure Design, 5) Security Misconfiguration, 6) Vulnerable and Outdated Components, 7) Identification and Authentication Failures, 8) Software and Data Integrity Failures, 9) Security Logging and Monitoring Failures, and 10) Server-Side Request Forgery (SSRF).