My take on OWASP list updates - by Ben Hopper

The evolution of risk

As software becomes more complex and dependence on internet connectivity increases, so does the number of attack vectors and the ease with which a breach can be made. Fortunately, OWASP reviews its list every three to five years in line with changing threats to software to help companies and developers minimise their security risks. 

As more companies invest in cloud technologies or migrate to cloud, it’s become clear that there’s a cloud security skills gap. This is due to the fact that infrastructure teams, who may have been previously more familiar with on-premises technologies, are still learning cloud. As such, this learning creates gaps and weaknesses in security - there’s a lot to learn.

What’s more, the types of attacks have changed over the past few years. As companies become more security aware, attacks evolve to be more sophisticated, which is reflected in OWASP’s current rundown. Below, I’ve picked out the changes that have the biggest impact for Propel Tech and our clients.

New entry at number 4 - Insecure Design

Security by design is often missed when companies don’t follow a secure SDLC. As a result, threat modelling and other ways of identifying potential attack vectors don’t get highlighted.

Suggested approach: 

• Establish and use a secure development lifecycle with AppSec professionals
• Invest in training for someone key to development in ISC2 Certified Secure Software Lifecycle Professional – https://www.isc2.org/Certifications/CSSLP

Up from number 5 to 1 - Broken Access Control

When OWASP conducted its survey prior to its most recent list update, the results indicated a large increase in vulnerabilities related to access control. These potentially allow unauthorised actors to view data they shouldn’t have access to. Some issues are caused by by-passing standard code flow or restrictions not being applied to all endpoints/routes.

Suggested approach:  

• To find issues, companies should include functional access control unit and integration tests.
• Scanning for these kinds of vulnerabilities wouldn’t be as fruitful. This requires a human touch, such as penetration testers. 

Up from number 6 to 5 - Security Misconfiguration

Classic issues arise from the lack of a server/application hardening process, when default user accounts are used, or when detailed passwords are not changed. 

Suggested approach: 

• Harden systems before adding to production. Use NIST’s guide - https://ncp.nist.gov/repository
• Don’t use complex passwords, use three random words – https://www.ncsc.gov.uk/blog-post/three-random-words-or-thinkrandom-0

Up from number 9 to 6 - Vulnerable or Outdated Components

Vulnerabilities are found all the time, and as a result, software/libraries/packages are frequently being updated - however, many companies overlook actioning these updates. Businesses and developers that do not prioritise security, or rely on packages rather than “reinventing the wheel”, may find development is quick and cheaper, but this can lead to vulnerabilities.

Suggested approach: 

• Maintain a list of allowed components.
• Regularly check for updates and make it mandatory to be on the latest versions prior to production release.
• Don’t use packages/libraries that are unsupported/not maintained or haven’t had development completed within a specified time scale, i.e. 90 days.

Up from number 10 to 9 - Security and Logging Failures

Without good logs, it is hard to understand what has happened when identifying bugs and data loss.

Suggested approach:

• Make sure logs are correlated in a single place, use a SIEM like Splunk.

Application security review 

If you have any questions or concerns about your application security, or would like to speak to us about conducting an application security review, please contact david.ritchie@propeltech.co.uk