In the software industry, change is constant. New frameworks and tools are released regularly, and developers must constantly adapt to stay ahead of the curve. While the technology may change, some aspects of security remain timeless. The Open Web Application Security Project's (OWASP) Top 10 list is one example. The list, which was first published in 2004, is updated every few years to reflect the latest trends in web application security.
The most recent edition of the OWASP Top 10 was released in 2017, and it contains some significant changes from the previous 2013 version. This article will look at what's changed and what you need to know to keep your applications secure.
New Threats Emerge
While the OWASP Top 10 is an excellent resource for understanding the most common web application security risks, it's important to remember that it's not an exhaustive list. There are always new threats emerging, and developers need to be aware of them to protect their applications.
Run a free security scan in a few clicks
Guardio is a Chrome extension that monitors suspicious activity and blocks hackers from stealing your data.
Verified by Google Chrome.
Instant Results.
4.6/5 based on 3,127+ Trustpilot reviews
Some of the newer threats that have emerged in recent years include:
Insecure Design:
Insecure authentication and authorization are some of the most common problems on the web. Insecure authentication allows attackers to gain access to sensitive data, while insecure authorization can enable them to perform actions they should not be able to.
Insecure design can also lead to vulnerabilities in the website itself. For example, if a website does not properly validate input, an attacker could be able to inject malicious code into the site.
OWASP's design processes guidance can help you avoid these types of vulnerabilities.
- Never trust user input.
- Use secure session management to prevent session hijacking attacks.
- Ensure that your application withstands a Denial of Service (DoS) attack
Software and Data Integrity Failures:
Integrity failures can occur when data is modified or destroyed in transit. If data is not adequately encrypted or transmitted over an insecure channel, this can happen.
Data integrity failures can also occur if data has been tampered with while at rest. For example, if a database is not secured correctly, an attacker could modify the data it contains.
To prevent integrity failures, you should:
- Ensure that data is appropriately encrypted in transit.
- Use digital signatures to verify the integrity of data at rest.
- Monitor your systems for signs of tampering.
Run a free security scan in a few clicks
Guardio is a Chrome extension that monitors suspicious activity and blocks hackers from stealing your data.
Verified by Google Chrome.
Instant Results.
4.6/5 based on 3,127+ Trustpilot reviews
Server-Side Request Forgery (SSRF):
Server-Side Request Forgery is an attack in which an attacker tricks a server into requesting on their behalf. This can allow the attacker to access data or resources they would not usually have access to.
To prevent SSRF attacks, you should:
- Validate all user input before using it in a server-side request.
- Restrict access to sensitive data and resources.
- Monitor your logs for signs of suspicious activity.
Existing Security Issues Increase
While new threats are constantly emerging, some of the current security concerns on the OWASP Top 10 list have become more prevalent.
Injection Flaws:
Injection flaws are still the most common type of vulnerability on the web. These flaws occur when untrusted data is used in a SQL, NoSQL, or LDAP query. This can allow attackers to execute arbitrary code or access sensitive data.
To prevent injection flaws, you should:
- Validate all user input before using it in a database query.
- Use parameterized queries instead of string concatenation.
- Ensure that your database is configured correctly and secured.
Cross-Site Scripting (XSS):
Cross-Site Scripting is an injection flaw that occurs when untrusted data is used on a web page. This can allow attackers to inject malicious code into the page, which will be executed by the browser when the page is loaded.
To prevent XSS attacks, you should:
- Validate all user input before displaying it on a web page.
- Encode all untrusted data before displaying it on a web page.
- Disable Scripting in the browser if it is not needed.
Clickjacking and UI Redressing:
Clickjacking, also known as UI Redressing, is an attack that tricks users into clicking on a button or link they did not intend to. This can allow an attacker to perform unwanted actions, such as changing the user's password or making a purchase in their name.
To prevent clickjacking attacks, you should:
- Use the X-Frame-Options header to prevent your pages from being embedded in other sites.
- Use the Content-Security-Policy header to prevent clickable elements from being loaded from untrusted sources.
- Monitor your logs for signs of suspicious activity.
These are just a few of the existing security concerns in recent years. You can check out the OWASP Top 10 Third-Party Risk Register for more information on these and other threats.
Run a free security scan in a few clicks
Guardio is a Chrome extension that monitors suspicious activity and blocks hackers from stealing your data.
Verified by Google Chrome.
Instant Results.
4.6/5 based on 3,127+ Trustpilot reviews