OWASP Top 10 2021 – what’s new, what’s changed

The 2021 edition of the OWASP Top 10 is finally out*! Let’s have a look at what OWASP introduced/changed in their industry-standard checklist for web application security and let’s compare it with our predictions from last year for the OWASP Top 10 2021. Last but not least – let’s analyze what the changes in OWASP Top 10 mean to you.

* Please note that at the moment of the publication of this blog post, OWASP Top 10 2021 is still under peer review but we don’t expect any major changes.

The shift towards a strategic focus

The biggest change in the OWASP Top 10 is the way that the authors want it to be perceived. While originally the Top 10 focused on vulnerability classification, the newest edition attempts a much more strategic approach. Most categories are broader than before and while the Top 10 is still data-driven, it is no longer primarily categorized by incidence – instead, it focuses on exploitability and impact. Also, only 8 out of 10 categories are based on the data while the remaining 2 are based on industry surveys.

What it means to you is that you should not perceive the OWASP Top 10 as just a simple “checklist of what to look for”. Instead, you should use it as a backbone of your web application security strategy in general.

Note that several OWASP Top 10 categories are impossible to cover with any kind of an automated tool – even more than before. This means that if any kind of software manufacturer promises you that they fully cover OWASP Top 10 2021, they are not telling you the truth. While both we at Invicti and others may provide reports, you cannot treat these reports as complete OWASP Top 10 coverage unless you perform the remaining manual security analysis.

The shifts in categories – are we prophets?

When looking back at our 2020 predictions, we were unable to guess what new categories would appear, but we were surprisingly right about most of the category shifts! This is very good news because it means that many parties involved in the web application security industry are thinking the same way. We are also hoping that this will also give you even more confidence in Acunetix – it proves that we know our stuff. And no, we did not use tarot cards or similar techniques.

Here’s a look at the new categories along with information about their position in 2017 and our predictions from 2020.

A01:2021-Broken Access Control

• Previous position: A05:2017-Broken Access Control
• Our 2020 prediction: A04:2021 (the right direction)

Broken access control means that a malicious user is able to access a function that should not be accessible to them. For example, when a regular user of a web application is able to access administrative functions.

Our initial prediction was that this category would go up in the ranks, but we did not expect it to go up so high. However, attacks such as forced browsing and insecure direct object references have indeed been on the front lines of web application security especially in the last year.

We see two potential reasons why broken access control is so high in the current ranking:

• The Top 10 is focusing on exploitability and impact. Broken access control is not as commonly found as other vulnerabilities but when found, it is easy to exploit and may have a huge impact.
• The number of APIs is growing much faster than ever expected and broken access control is one of the most common problems for APIs.

Unfortunately, while several broken access control vulnerabilities like path traversal or open redirect can be discovered by Acunetix, many others are business logic vulnerabilities that cannot be spotted using any automatic tools. For example, the tool has no way to know whether a certain function in the software is intended to be used only by privileged users. Therefore, to cover this Top 10 item, you need to do manual penetration testing in addition to your automatic scans.

A02:2021-Cryptographic Failures

• Previous position: A03:2017-Sensitive Data Exposure
• Our 2020 prediction: A02:2021 (bullseye!)

The name of this category has been changed by OWASP to focus more on the cause than the symptom. Sensitive data is most commonly exposed due to some kind of a cryptographic failure – either not using cryptography, using it badly, or using an outdated mechanism.

We expected that sensitive data exposure would become even more of a problem than before. This was based on the fact how many such major exposures we have seen in the last few years. Several major data breaches were caused by insufficient cryptographic practices such as exposed databases containing unencrypted information.

While tools such as Acunetix can help you cover the basics in this category, no automated tool can guess whether a certain piece of information is sensitive or not. For example, if you accidentally expose financial information, to an application such as Acunetix these are just numbers, only a human would know that these numbers should not be readable by everyone. Therefore, to cover A02, again you must complement automatic scanning with manual penetration testing.

A03:2021-Injection

• Previous position: A01:2017-Injection, now also includes A07:2017-Cross-Site Scripting (XSS)
• Our 2020 prediction: A05:2021 for injection, A03:2021 for cross-site scripting (bullseye!)

This year, OWASP decided to merge two major categories into one. It makes sense because cross-site scripting is, after all, a type of injection.

Luckily, Acunetix has you covered with many types of injections and XSS. While you may want to do additional penetration testing for the most elusive types, which are very unlikely to be found, our software can discover even the more obscure injections such as blind SQL injections or DOM-based XSS.

A04:2021-Insecure Design

• Previous position: not available
• Our 2020 prediction: not available

Insecure design is a completely new strategic category. It covers all the vulnerabilities that ultimately surface due to the designers of the software not taking security into account.

It is quite obvious that no automated tools can even begin to help you with this category. However, penetration testing will not help you, either. To make sure that you are covered, you must strategically analyze your design processes and make sure that you include security as early as possible.

If you design your own software, you may also consider shifting left with your security testing. Insecure design may lead to vulnerabilities appearing early in the development lifecycle, which can be eliminated during development instead of at the last moment (in staging).

A05:2021-Security Misconfiguration

• Previous position: A06:2017-Security Misconfiguration, now also includes A04:2017-XML External Entities (XXE) 
• Our 2020 prediction: A06:2021 (almost right!)

The slight shift up for security misconfigurations may be caused by the fact that these misconfigurations now also include XML external entities (XXE), which were previously in a separate category. XXE was a new trend back in 2017 and now it is easily discoverable by automatic tools and not very commonly exploited, therefore it does not deserve a category of its own.

While Acunetix can discover many security misconfigurations, including XXE, to fully cover this category you need additional penetration testing in addition to automatic scanning. This is because many security misconfigurations are business logic issues, which cannot be discovered using an automated tool (for example, a tool cannot guess whether a certain function should be configured to be publicly accessible or not).

A06:2021-Vulnerable and Outdated Components

• Previous position: A09:2017-Using Components with Known Vulnerabilities
• Our 2020 prediction: A07 (almost there!)

As we have been mentioning for years, including in our annual web application vulnerability report, vulnerable components cause a lot of problems in today’s web applications. More and more application developers use third-party libraries, especially due to the abundance of open-source ones. The time of applications such as qmail, written absolutely from scratch, is long over.

We expected vulnerable components to become more important and therefore we have also been working hard on making it easier for you to detect them automatically. While Acunetix was always able to find particular third-party component vulnerabilities, it now comes with software composition analysis (SCA) functionality that is able to detect even outdated components that are not openly vulnerable but contain vulnerable functions (which you may not yet be using).

In this category, Acunetix has you fully covered.

A07:2021-Identification and Authentication Failures

• Previous position: A2:2017-Broken Authentication
• Our 2020 prediction: A01:2021 (wrong, mostly due to COVID-19)

We admit we did not see that coming. OWASP suggests that the strong downward shift of this category is mostly due to the use of standardized frameworks. However, we believe that the COVID-19 pandemic and the resultant shift to remote work is the primary cause of this improvement.

Due to the pandemic, most businesses had to let their employees work remotely, and therefore, put a lot of attention on identification and authentication. What was often overlooked before because employees would log in only from office computers, became super important with the same employees often sharing their work tools with others or connecting through open networks. Businesses employed stronger password policies and, most importantly, multi-factor authentication. We can even admit that we greatly tightened security at Invicti in this respect, too!

Acunetix can cover the basics in this category by testing for common password vulnerabilities. However, to make sure your identification and authentication are working properly, you must perform a human assessment.

A08:2021-Software and Data Integrity Failures

• Previous position: not available (but includes A8:2017-Insecure Deserialization)
• Our 2020 prediction: not available

The second new category in the 2021 OWASP Top 10 is also a very generic one (just like A04) and focuses on testing the integrity of software and data in the software development lifecycle. This category was probably introduced due to the abundance of major supply chain attacks such as the SolarWinds case.

If you use Acunetix in your software development lifecycle by integrating it in your CI/CD pipelines (for example, Jenkins, CircleCI, GitLab, Azure DevOps, etc.), you can make sure that software security is verified early on. However, to completely cover this broad category, you must perform a strategic security analysis of your data and software (both your own and third-party software that you use).

A09:2021-Security Logging and Monitoring Failures

• Previous position: A10:2017-Insufficient Logging & Monitoring
• Our 2020 prediction: A08:2021 (the right direction)

We were hoping that OWASP would extend this category to include insufficient web security scanning but, unfortunately, our hopes did not come true. However, OWASP does mention that this category includes the use of DAST tools, such as Acunetix, without generating proper alerts.

Luckily, you can integrate Acunetix with tools such as Jira, GitHub, GitLab, Azure DevOps, and more to generate issues/alerts as soon as a vulnerability is found – no matter whether the tool is used ad-hoc or as part of the SDLC (see above).

However, Acunetix cannot help you with other issues related to logging and monitoring and you cannot cover that by manual penetration testing, either. To make sure your logging and monitoring are secure, you must perform security audits.

A10:2021-Server Side Request Forgery (SSRF)

• Previous position: not available
• Our 2020 prediction: not available

The server-side request forgery (SSRF) category was added as the third new category and based on the industry survey. This result of the survey may be caused by the fact that several major attacks, such as the Capital One incident, were caused by this type of vulnerability. Unlike the rest of 2021 Top 10, this category focuses on a very specific vulnerability.

Luckily, Acunetix is well-equipped to discover SSRF vulnerabilities and therefore we have you covered. However, additional manual penetration testing for the more obscure cases is never a bad idea.

OWASP Top 10 2021 – should you worry?

As you can see, most categories of OWASP Top 10 can only be covered by adopting a wholesome web application security strategy. Simple scanning is not enough, you must include occasional penetration testing and also have someone watch over the security procedures.

Many smaller businesses would struggle with this and would therefore abandon the idea of keeping their web applications secure. The OWASP Top 10 shows that this is not a simple task and just hiring a “security guy” will not help at all.

What we can recommend to such smaller businesses is to reach out to MSSPs and find one that covers web application security with Acunetix. This way you can be sure that you have someone who will keep a watchful eye on everything that cannot be found automatically and will be using top-class software to cover everything that can be found automatically. It’s a win-win situation for you.