casey Profile picture
13 Jan, 16 tweets, 3 min read
Have you heard of OWASP Top 10 but aren’t familiar with it?

Or maybe you knew the 2017 list but not the updated list from 2021?

Let’s talk about it! 🧵 ⬇️
What is the OWASP Top 10?

It outlines the most pertinent risks to web security. The most updated list was released in 2021. 7/10 from the 2017 list were kept (but moved around in rankings), and 3 new risks were added.
This graphic shows how the 2017 Top 10 and the 2021 Top 10 compare.
You’ll notice that there have been rewordings of some, which keep the naming more consistent. Each is named by the problem at hand.

Additionally, some were renamed to better define what’s being pinpointed.
#1 Broken Access Control

Giving access and permissions to unauthorized users.

This can occur through things like lack of least privilege implementation, metadata misconfigurations, CORS misconfigurations, and API request modifications and access.
#2 Cryptographic Failures

Encryption can fail in many ways, including when keys aren’t created and shared securely, use of outdated and insecure protocols (FTP, SMTP), unenforced encryption, and incomplete trust chains.

Data should be properly protected at rest and in transfer.
#3 Injection

Attackers can take advantage of systems accepting input without input validation.

When an attacker can get your system to accept unexpected and malicious input, memory can be overwritten and the system may be given unauthorized instructions.
#4 Insecure Design

I like to think of this one as your lack of implementing buzzwords. Segmentation, pushing left, zero trust-

How are you maintaining authentication throughout your system and preventing malicious actions from moving through the system and being allowed?
#5 Security Misconfiguration

This includes things like improper permission configurations, unnecessary enabled access, default credential use, exposing error messages to users, and out-of-date software.

Every piece of a system needs to be configured and implemented properly.
#6 Vulnerable and Outdated Components

You need to know your assets. Every part of your system needs to be kept up to date, & it’s important to be aware of CVEs released regarding HW and SW you use. Components must be configured properly and tested to ensure system compatibility.
#7 Identification and Authentication Failures

When user identification and authorization fails due to things like credential stuffing, brute forcing weak and expected passwords, exposed (unencrypted or weakly hashed) passwords, lack of MFA, and reused session identifiers.
#8 Software and Data Integrity Failures

When software or pipelines are compromised by code & data. Using external sources (e.g. libraries) or updates without integrity validation, and failing to protect stored data will give attackers access to information &/or code execution.
#9 Security Logging and Monitoring Failures

Logs are not kept, logs don’t raise alerts when necessary, logs don’t provide actionable information; failure to detect abnormal or suspicious activity given vague or non-existent logs, and/or failure to respond with given information.
#10 Server-Side Request Forgery (SSRF)

When a web app permits an attacker to forge requests due to unvalidated remote resource fetching, an unauthorized destination can be accessed.
And that’s the OWASP Top 10! While they’re focused on web applications, most are relevant to all types of systems and is a useful resource for keeping up with common attack vectors.
If you’d be interested in me writing a more comprehensive blog post about this, let me know! We could get into mitigations and more extensive explanations.

• • •

Missing some Tweet in this thread? You can try to force a refresh

Keep Current with casey

casey Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!


Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @varcharr

14 Jan
If getting stuck on picking a hosting platform or stack is stopping you from creating content, don’t let it!

Let’s talk about what to consider and what options you have ⬇️
1. Find time to consider the options.

Don’t try to rush this, because you’ll realize later that other options have potential as well and you’ll get stuck all over again.

So start by carving out time to think about what you want.
2. Decide if you want to use a blogging platform or create your own site.

This is a good time to consider how much money you want to put into it; there are options for both.

There’s no right or wrong here, it just depends on your end goal. Let’s discuss what each has to offer.
Read 11 tweets
3 Jan
Things not normally taught in computer science curriculums that should be included 🧵
This will be a part 2, since I did one of these a little while ago. I recently thought of more things so wanted to do a follow on. If you wanna check out the first one, here it is:
1. How to break down a problem.

These curriculums tend to go from “practice your while loops” to “implement this data structure” to “code this big thing”.

You will never succeed at the latter if you don’t learn how to break down the problems into smaller programmable pieces.
Read 10 tweets
2 Jan
I've spent a lot of time wondering how I didn't spend more time deep diving into fundamentals of my comp sci classes and doing extra projects on the side to better understand what I was learning.

Did I not care? Was I not interested? Did I pick the wrong major?
After many years, I've had a realization.

Consider times when you've thought you weren't good enough to do something. In those moments, were you actively accomplishing other things at the same time?

I'm going to guess no.
The amount of time I spent during college second guessing my intelligence, whether I belonged, if I could succeed, if I should keep trying, whether or not I'd actually get a job in the field-

The thoughts never left my mind. Ever.
Read 6 tweets
2 Jan
Not that you need a new year as an excuse to do this, but why not consider it a chance to curate your Twitter feed to better serve you?

Let's talk about how you can do that.
1. Unfollow people who often (or even just sometimes) cause you to have stressed, angry, or upset feelings.

You don't owe anyone a follow. If it's a friend, you can consider letting them know why you've made the choice, but you're not obligated to.
2. Mute people who you don't want showing up on your feed.

If someone's tweets often show up and you're already not following them, muting should help further reduce what you see from them.
Read 9 tweets
8 Sep 21
Wanna up your Linux game?

This will be an evolving 🧵 of commands I learn about today and the resources used ⬇️
1. awk

awk is used for text manipulation within the command line.

A common use is specifying what kind of information you want to pull from a file or command output.

The who command returns currently logged in users of the system, as well as other information. What if we only wanted to see the users, without extra information? We could use awk like this, knowing the user is the first parameter in who output:

who | awk '{print $1}'
Read 18 tweets
7 Sep 21
Interview advice for people getting into tech 🧵 ⬇️
1. Know main points about the company.

When interviewing all around, this can be hard. But know the main things. Does it make a product? Know what the product is and does. Does the company have a specialty expertise? Know what it is. This is a simple first hurdle to prepare for.
2. Know how to sell yourself.

Interviews often start with “tell me about yourself”. Know your strengths. Know your accomplishments. Know your passions. Know what you’re interested in (multiple things is okay, esp when you’re earlier career!). Be able to be concise & to expand.
Read 13 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!


0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy


3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!