Recently, The Open Web Application Security Project published its new top-ten list of the most critical web application security risks. Compared to other third-party organizations and their top-ten lists outlining risks and trends, this list carries a lot more importance as it is based on input from the application security community. Four years have passed since we last saw the top-ten list updated. In that time span, we’ve seen the application vulnerability landscape change significantly. However, some of the same risks from 2013 still have a place on this year’s top-ten.
The list is meant to offer guidance to security and application development teams, however, just because a risk is not in the top-ten doesn’t make it any less important in the context of risk mitigation.
What ranks #1?
Injection flaws are still #1 and that has stayed consistent from 2013 through today. It’s one of the most common risks that hackers view as low-hanging fruit. Injection flaws allow attackers to send malicious code from the infected application to other systems, essentially offering them a gateway to cause more havoc. We don’t see this moving out of the #1 spot anytime soon since every web application environment permits the execution of external commands during which time an injection vulnerability could manifest itself.
XML External Entities and Insecure Deserialization are new (#4) to the list and for good reason. Many XML processors are old and not properly configured. Hackers can take advantage by uploading malicious XML files. In some instances, this allows them to execute distributed denial of service (DDoS) attacks that cause mass disruption for organizations and consumers. According to a recent Kaspersky report, 33 percent of organizations faced a DDoS attack in 2017, up from 17 percent the year prior.
Insecure Deserialization made the list (#8) as remote code execution continues to pick up steam. Hackers are tricksters by nature. They can send serialized data objects to applications, which accept those objects even if they don’t know the source. What the applications don’t realize is that object can allow the hacker to gain remote access to the application and take control. We’ve seen this happen in the past with Apache and Java. Application security teams need to put more measures in place to prevent the acceptance of objects from unknown sources.
Insufficient logging and monitoring is also new, coming in at #10. Oftentimes, logs of applications and APIs are not monitored frequently, if at all. If this isn’t happening, security operations teams remain in the dark unable to ID potential threats in real time.
What was removed?
Gone are Cross-site scripting (known as XSS) and Cross-site request forgery (known as CSRF). While many believe these risks are still deserving of a top-ten listing, they haven’t been associated with many of the major breaches and attacks in the last several years. In addition, web browsers have upped their XSS protection measures making it harder for hackers to exploit this risk.
The new additions to the list are quite appropriate and a good reflection of the current vulnerability landscape. It’s great to see that the list is recognizing risks beyond those found in systems and software. But the only way the list can deliver real long-term value to organizations is if application development and information security teams use it as a shared resource, working collaboratively to strengthen application security practices.