New OWASP 2021 list enhances application development security
The first update since 2017 has landed and it is interesting to see where the security emphasis is currently being encouraged by the team at the OWASP Top 10 group.
21-10-2021
The first update since 2017 has landed and it is interesting to see where the security emphasis is currently being encouraged by the team at the OWASP Top 10 group.
What we have learnt since 2017 is that server-side validation is the key to keeping the wolf from our application’s door. Weak validation is the cause of over half of the 2017 list vulnerabilities. Therefore, make sure that you don’t take your eye off the ball and maintain strong server-side checks on data submitted to your websites.
What is new in 2021? Well, here an illustration of the top-level changes to the OWASP Top 10 list.
Seven of the 2021 list are validation identifiable which means that attackers are continuing to find opportunities to attack and steal as a result of errors developers are introducing in their code.
Interestingly, in all my training sessions, most of the developers have acknowledged that whilst they might have come across ‘security’ in the development process, they are not comfortable admitting they know how to write secure code.
Those elements of the new list that are not specifically validation vulnerabilities are the second in the list, cryptographic failures, insecure design, and vulnerable and outdated components.
Cryptographic failure we can relate to the failure to implement ‘Confidentiality’ properly. All data in an application should be reviewed. If it is confidential, encrypt it, both at rest and in transit.
Insecure design is a result of a development team not spending the necessary time at the start of any development process in identifying potential security issues. Threat modelling, secure design principles and identification of potential problems in the code should be emphasised. Development is often made insecure by the use of ‘Sprints’ which seems to intimate that a developer should work fast and not safe.
Vulnerable and outdated components can be introduced by developers who can use whatever components they like from whatever source. A managed list of which components are being used is essential.
In our secure development training course, we teach development teams all the skills they need to take a secure-first mindset back to their development environment. We enable developers to do this quickly and without adding significantly to timescales.
We look forward to talking to you about getting your teams up to speed with the new requirements.
To help raise awareness of challenges and vulnerabilities and ways to reduce risk, we've got a bumper crop of cyber security blog articles. We've also got a robust range of hands-on training courses covering security for non-technical staff and IT professionals
We use cookies on our website to provide you with the best user experience. If you're happy with this please continue to use the site as normal. For more information please see our Privacy Policy.