The Open Web App Security Project has released its Top Ten list of vulnerabilities in web software, as part of the general movement to make software less painfully insecure at the design stage.
Among new entries in the top 10 flaws highlighted by the project are “insecure design”, relating to specific design flaws, and “software and data integrity failures.” The latter refers to “making assumptions related to software updates, critical data, and CI/CD pipelines without verifying integrity”.
The release is a draft for public comment and peer review, with a final version to be released later this year.
This year’s current number one web app security flaw is Broken Access Control, with OWASP glumly noting: “The 34 CWEs* mapped to Broken Access Control had more occurrences in applications than any other category.”
Non-specific examples OWASP cited include failure to validate user credentials for browser-based access to admin pages.
Cryptographic failures were also highlighted by OWASP, coming in at number two on this year’s list. Previously this category was known as “sensitive data exposure,” with the organisation noting the old description was “a broad symptom rather than a root cause.”
Although this category’s new name conjures up images of script kiddies breaking RSA-4096 encryption with a click of their fingers, the mundane truth is that it covers everything from hard-coded passwords to insufficient entropy in passwords, as well as “broken or risky crypto algorithms.” Specific examples of bad practice falling under “cryptographic failure” include storing passwords without hashing or salting them or not enforcing TLS on login-protected web pages.
Code injection and cross-site scripting came in third, with other common weaknesses including security misconfigurations, outdated libraries, and server and logging monitoring failures.
OWASP builds the Top Ten list every year by looking at data from industry about vulnerabilities discovered in web-facing software, combining that with an industry survey asking frontline folk what flaws they’ve seen over the past year that deserve a wider airing.
The org explained:
Back in 2018 OWASP’s then-chairman Martin Knobloch told El Reg that the Top Ten list had been both a blessing and a curse, saying: “A guide on how to validate is not a guide on how to build in security.” ®
* CWE: Common Weakness Enumeration. See also CVE, Common Vulnerability Enumeration. A vendor-neutral way of tracking flaws by using a unique reference number.