Have you heard of OWASP Top 10 but aren’t familiar with it?
Or maybe you knew the 2017 list but not the updated list from 2021?
Let’s talk about it! 🧵 ⬇️
Or maybe you knew the 2017 list but not the updated list from 2021?
Let’s talk about it! 🧵 ⬇️
What is the OWASP Top 10?
It outlines the most pertinent risks to web security. The most updated list was released in 2021. 7/10 from the 2017 list were kept (but moved around in rankings), and 3 new risks were added.
It outlines the most pertinent risks to web security. The most updated list was released in 2021. 7/10 from the 2017 list were kept (but moved around in rankings), and 3 new risks were added.
This graphic shows how the 2017 Top 10 and the 2021 Top 10 compare. 
You’ll notice that there have been rewordings of some, which keep the naming more consistent. Each is named by the problem at hand.
Additionally, some were renamed to better define what’s being pinpointed.
Additionally, some were renamed to better define what’s being pinpointed.
#1 Broken Access Control
Giving access and permissions to unauthorized users.
This can occur through things like lack of least privilege implementation, metadata misconfigurations, CORS misconfigurations, and API request modifications and access.
Giving access and permissions to unauthorized users.
This can occur through things like lack of least privilege implementation, metadata misconfigurations, CORS misconfigurations, and API request modifications and access.
#2 Cryptographic Failures
Encryption can fail in many ways, including when keys aren’t created and shared securely, use of outdated and insecure protocols (FTP, SMTP), unenforced encryption, and incomplete trust chains.
Data should be properly protected at rest and in transfer.
Encryption can fail in many ways, including when keys aren’t created and shared securely, use of outdated and insecure protocols (FTP, SMTP), unenforced encryption, and incomplete trust chains.
Data should be properly protected at rest and in transfer.
#3 Injection
Attackers can take advantage of systems accepting input without input validation.
When an attacker can get your system to accept unexpected and malicious input, memory can be overwritten and the system may be given unauthorized instructions.
Attackers can take advantage of systems accepting input without input validation.
When an attacker can get your system to accept unexpected and malicious input, memory can be overwritten and the system may be given unauthorized instructions.
#4 Insecure Design
I like to think of this one as your lack of implementing buzzwords. Segmentation, pushing left, zero trust-
How are you maintaining authentication throughout your system and preventing malicious actions from moving through the system and being allowed?
I like to think of this one as your lack of implementing buzzwords. Segmentation, pushing left, zero trust-
How are you maintaining authentication throughout your system and preventing malicious actions from moving through the system and being allowed?
#5 Security Misconfiguration
This includes things like improper permission configurations, unnecessary enabled access, default credential use, exposing error messages to users, and out-of-date software.
Every piece of a system needs to be configured and implemented properly.
This includes things like improper permission configurations, unnecessary enabled access, default credential use, exposing error messages to users, and out-of-date software.
Every piece of a system needs to be configured and implemented properly.
#6 Vulnerable and Outdated Components
You need to know your assets. Every part of your system needs to be kept up to date, & it’s important to be aware of CVEs released regarding HW and SW you use. Components must be configured properly and tested to ensure system compatibility.
You need to know your assets. Every part of your system needs to be kept up to date, & it’s important to be aware of CVEs released regarding HW and SW you use. Components must be configured properly and tested to ensure system compatibility.
#7 Identification and Authentication Failures
When user identification and authorization fails due to things like credential stuffing, brute forcing weak and expected passwords, exposed (unencrypted or weakly hashed) passwords, lack of MFA, and reused session identifiers.
When user identification and authorization fails due to things like credential stuffing, brute forcing weak and expected passwords, exposed (unencrypted or weakly hashed) passwords, lack of MFA, and reused session identifiers.
#8 Software and Data Integrity Failures
When software or pipelines are compromised by code & data. Using external sources (e.g. libraries) or updates without integrity validation, and failing to protect stored data will give attackers access to information &/or code execution.
When software or pipelines are compromised by code & data. Using external sources (e.g. libraries) or updates without integrity validation, and failing to protect stored data will give attackers access to information &/or code execution.
#9 Security Logging and Monitoring Failures
Logs are not kept, logs don’t raise alerts when necessary, logs don’t provide actionable information; failure to detect abnormal or suspicious activity given vague or non-existent logs, and/or failure to respond with given information.
Logs are not kept, logs don’t raise alerts when necessary, logs don’t provide actionable information; failure to detect abnormal or suspicious activity given vague or non-existent logs, and/or failure to respond with given information.
#10 Server-Side Request Forgery (SSRF)
When a web app permits an attacker to forge requests due to unvalidated remote resource fetching, an unauthorized destination can be accessed.
When a web app permits an attacker to forge requests due to unvalidated remote resource fetching, an unauthorized destination can be accessed.
And that’s the OWASP Top 10! While they’re focused on web applications, most are relevant to all types of systems and is a useful resource for keeping up with common attack vectors.
If you’d be interested in me writing a more comprehensive blog post about this, let me know! We could get into mitigations and more extensive explanations.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
