The Open Web Application Security Project (OWASP) is an online community that produces freely. Non-profit stands for open web application security projects. Through community-led open-source software projects, hundreds of local chapters worldwide, tens of thousands of members, and leading educational and training conferences, the OWASP Foundation is the source for developers and technologists to secure the web.
• Tools and resources
• Community and network
• Education and training
OWASP has 100 plus active projects, and new project applications are submitted weekly Project are open source and are built by our community of volunteers. The OWASP Top 10 list of security issues is based on the consensus among the developer community of the top security risks. It is updated every few years as risks change and new ones emerge. The list explains the most dangerous web application security flaws and provides recommendations for dealing with them. OWASP seeks to educate developers, designers, architects, and business owners about the risks associated with the most common web application security vulnerabilities. OWASP supports both open-source and commercial security products. It is known as a forum in which security experts and information technology professionals can network and build expertise.
What is OWAPS Top 10?
OWASP Top 10 is the supplication security project, and it’s focused on improving the security of software and so a number of security firms. Experts provide input to be able to identify the top 1 the top 10 most critical security risks. OWASP compiles the list from community surveys, contributed data about common vulnerabilities and exploits, and vulnerability databases. The first version of the OWASP Top 10 list was published in 2003. Updates followed in 2004, 2007, 2010, 2013, and 2017. The most recent update was published in 2021. Risks that make a list at any point are identified by their rank on the list and the year of the list. So, for example, the top security risk in the most recent list is broken access control. It is assigned the identifier of A01:2021. "A" is for AppSec, followed by its rank in the list, the ":" symbol, and the year.
OWASP Top 10 SECURITY RISKS, 2021
1A01:2021 Broken access control. With these vulnerabilities, attackers can bypass access controls by elevating their own permissions or in some other way. This approach gives unauthorized users access to data or systems. Broken access controls have become the top category of security risk for web applications rising from the fifth spot in 2017. This category was created in 2017 by merging two other categories: missing function access control and insecure direct object references. 2. A02:2021 Cryptographic failures. These risks happen when cryptographic methods aren't used appropriately to protect data. These vulnerabilities include the use of cryptographic ciphers that are obsolete, cryptographic protocols that aren't implemented correctly, and other issues related to cryptographic controls. This category was previously known as sensitive data exposure. OWASP changed the name to reflect the importance of cryptographic failures in enabling exposure of sensitive information.
A03:2021 Injection. These vulnerabilities let attackers insert data in an application that includes malicious commands, redirect data to a malicious website, or change the application itself. The most common type of flaw, Structured Query Language injection, still represents an important vector for attacks. Remediation for injection attacks is to explicitly authenticate all untrusted data, especially data submitted by end users. This category was expanded to include the cross-site scripting category in the 2021 Top 10 list.
A04:2021 Insecure design. Risks in this category come from system architecture design flaws. These issues happen when an application is designed around insecure processes. For example, these problems arise when an application is developed using an authentication process that isn't secure or a website isn't built to prevent bots.
A05:2021 Security misconfiguration. In this category, it is the problems with the security configuration of an application that facilitate attacks. For example, an application might not filter incoming packets correctly and could enable the use of a default user ID, password, or authorization. This category was expanded in 2021 to include the Extensible Markup Language external entities category.
A06:2021 Vulnerable and outdated components. These risks arise when developers use software components with vulnerabilities in applications. They also appear when software is unpatched, out of date, or similarly compromised. Vulnerable components include libraries, frameworks, application programming interfaces (APIs), or other modules. If the underlying operating system or a program interpreter is unpatched, it could cause these problems. Out-of-date APIs and software libraries can also create these issues for the application.
A07:2021 Identification and authentication failures. These vulnerabilities include authentication issues that enable credential stuffing and brute-force attacks. The category also includes applications that don't use multifactor authentication and don't invalidate user sessions that have expired or are not active. In 2017, these risks were referred to as broken authentication. The category was renamed in 2021 to include broken authentication and broken session management.
A08:2021 Software and data integrity failures. This category encompasses application code and infrastructure that doesn't fully protect software or data integrity. For example, issues can occur if digital signatures aren't used when software updates are installed. This category was expanded in 2021 to include the insecure deserialization category.
A09:2021 Security logging and monitoring failures. These vulnerabilities occur when a system isn't adequately monitored to detect and respond to attacks and logs kept of these events. Before 2021, this category was called insufficient logging and monitoring. The name change reflects the expansion of the category to include more types of monitoring and logging failures.
A10:2021 Server-side request forgery. Applications must perform adequate validation of user-provided resources to prevent these attacks. Threat actors can use these vulnerabilities to make applications access malicious websites