With the trending technologies like AI, IOT, AR & VR, 5G, Blockchain etc. in our daily life, Cybersecurity becomes more and more vital than ever for us and the enterprises as well.
In the past recent years, we have seen rapid expansion of the Internet all over the world which produces significant demand of web applications with strict security requirements.
Modern web systems are really complex, distributed and heterogeneous, ever evolving and rapidly changing whereas the web domain is pervasive and dynamic in nature that makes it more prone to malicious actions like virus attacks, threats, etc. thus security becomes a critical issue and is also related to the quality of web applications.
We can concatenate Security testing with Development phase for decreasing the risk factors for the Web application. The main goal of security testing is to detect or identify the flaws that could be exploited by the hackers.
In this article, we would like to discuss OWASP 2021’s top 10 Application Security Vulnerabilities and will also discuss about how to detect these security vulnerabilities much earlier in the application lifecycle and address them before the application is deployed in production. Let’s start with the Top 10 application security issues that was reported by Open Web Application Security Project® (OWASP Foundation, https://owasp.org/) in 2021.
OWASP Top 10 application security issues (2021):
1. Broken Access Control:
The action of the attacker to access all the performed data between the Server and the Client is the cause of Broken Access Control vulnerabilities. Here the hackers act as a user without being logged in and as an admin when logged in as user.
This attack can be made by bypassing access control checks by altering the Application URL (parameter tampering or force browsing), internal application state, or the HTML page, or by using an attack tool modifying API requests.
QA/Testing teams should include functional access control scenarios in integration and system testing phases. In a role-based web app, all the absolute links should be tested thoroughly for all types of users to ensure the right level of authentication is in place.
2. Cryptographic Failure:
This mainly leads to release of sensitive data. That includes Passwords, Credit card, medical records, Confidential records or private email.
If the encryption for sensitive data is either weak or missing, then the attackers can easily access the data in an unauthorised manner and manipulate them in order to initiate harmful attacks.
The application shouldn’t store sensitive data unnecessarily. Developers must write some code to ensure the sensitive data is discarded as soon as possible or use PCI DSS compliant tokenization or even truncation.
Dev/QA teams should ensure that the application data is appropriately identified and classified according to privacy laws, regulatory requirements, or business needs and must develop testcases to check adequate encryption during storing and handling of these data by the application.
3. Injection (SQL, NoSQL, OS command, and other commands):
Under an injection attack, the attacker/hacker can hack databases (like username / password) which are to be relational databases. By leveraging an SQL injection vulnerability, given the right circumstances an attacker can use it to bypass a web applications authentication and authorisation mechanism and retrieve the content of entire database.
It can be also used for modifying, adding and deleting records in a database which affects data integrity.
Testing team to ensure there is ample client side and server-side validations are in place before the application accepts inputs from users for processing at the server end.
4. Insecure Design:
This is a new category that was introduced in 2021 that focuses on the vulnerabilities related to the design and architectural flaws of the web applications. Applications of the current times must use threat modelling, secure design patterns, and reference architectures. As we adopt methodologies Agile/DevOps etc. the rigor around app security must shift to left, even starting requirements phase as well e.g., identifying the protection requirements like confidentiality, integrity, availability, and authenticity etc.
Application Teams need to consider leveraging the OWASP Software Assurance maturity model(SAMM)https://owaspsamm.org/ in order to structure their secure software development efforts.
5. Security Misconfiguration:
Security Misconfiguration refers the infrastructure or the server that is used to host the web application. Misconfiguration in the services or settings (e.g., unnecessary ports, services, pages, accounts, or privileges) can allow the attackers to hack the system. Misconfiguration vulnerabilities cause the application to be vulnerable to attack that target any component of the application stack.
Unencrypted files, old & out of date web application; unused devices, web application and closed misconfiguration can be considered as the issues in security misconfiguration.
Development, QA/Staging, and Production environments must be setup and configured identically, with ample authentication and authorisation in place. This process can be automated by using some good 3rd party utilities (e.g. Chef tool, https://www.chef.io/) in order to minimize the effort required to set up a new secure environment on demand.
6. Vulnerable and Outdated Components:
This moves from #9 in 2017 list to #6 on 2021. Vulnerable components are such known issues that we struggle to test and assess risk, it is the only group that doesn’t have any Common Weakness Enumeration (CWE).
The whole deployment of the application is likely to be vulnerable, if we are using vulnerable, unsupported, or out of date 3rd party components we are using at both client and server side.
And it could be prevented by removing unused dependencies, unnecessary features. There should be a continuous check on version of both client & server.
Every organization should develop a plan for monitoring, triaging, and applying updates or configuration changes for the lifetime of the application or portfolio as part of their company-wide Security Policy.
7. Identification and Authentication Failures:
This was previously known as Broken Authentication, and had been placed from #2 in 2017 list to #7 in 2021 but still in top 10 which is a big deal. It deals with User Identity, authentication, session management and all of these are very critical to protect the application and the sensitive business data.
It mainly happens when an application is not able to prevent automated attacks like trial-and-error methods to guess the password or find a hidden webpage in order to login into the application.
To prevent this, wherever possible, implement multi-factor authentication to prevent automated credential stuffing, brute force, and stolen credential reuse attacks, in order to properly secure the application.
8. Software and Data Integrity Failure:
This is a new category in the list of 2021, the risk focuses on making assumptions related to software updates, critical data without verifying integrity. An example of this could be an application that relies on some 3rd party plugins, libraries, or services from untrusted sources, repositories, and content delivery networks (CDNs)
The Dev team must ensure that libraries and other 3rd party dependencies, such as Maven, are leveraging only the trusted repositories. This risk can also be mitigated by leveraging digital signatures or similar mechanisms to verify the 3rd parties from on expected source.
9. Security Logging and Monitoring Failure:
In 2017 list this was in #10, up slightly to #9 in 2021. A secured app must allow creating of logs for all the important events like logins, failed logins, occurrence of errors related to code or server, high-value transactions etc. This is very helpful for accountability, visibility, incident, alerting and forensics in case something goes wrong at any point of time during the operations.
Also, these logs can get exposed to the possibilities of information leakage by making the alerting events and logging visible to an attacker. It can be prevented by implementing some level of access controls, depending on the risk of the application.
10. Server-Side Request Forgery (SSRF):
This web security flaw allows an attacker to instruct the server-side application to send HTTP requests to another internal application that the attacker is interested in. The attacker could start forcing the server to connect to internal applications within the organization’s connectivity. In many other cases, they may be able to pressurize the server to connect to random external networks, potentially going to leak sensitive material like access control credentials and so on.
In general, SSRF attacks frequently take advantage of believe relationships in order to increase an attack from the client application and perform illegal acts. These relations could exist with the server on its own or with other back-end system applications within the same org.
Testing application security issues:
- Static Application Security Testing (SAST) : SAST is based on a set of rules that used to define the coding errors in source code that must be fixed and assessed. SAST scans are planned to identify the most common security problems, such as SQL injection, input validation, stack buffer overflows. SAST inspects an application before it is compiled. It’s also referred to as white box testing.
- Dynamic Application Security Testing (DAST) : DAST tools use a black box testing method. They run code and inspect it in real time, detecting issues that could be security vulnerabilities. This can include issues with query strings, requests and responses, the use of scripts, memory leakage, cookie and session handling, authentication, third-party component execution, data injection, and DOM injection.
Few leading SAST and DAST tools in the industry:
List of few leading SAST Tools:
- SonarQube : Many companies use SonarQube tool. SonarQube performs static code analysis by inspecting code for bugs and security vulnerabilities. Sonar Source developed the product, which is available as open-source. OWASP also has an opensource project with a product named OWASP SonarQube.
- Veracode Static Analysis : This tool performs fast static analysis will show automated security feedback from across development environment (IDE integration) and from the CI/CD pipeline.
- Codacy : Codacy will help a lot if you need a tool that provides quick code reviews. It is a computer-aided system that creates data patterns to assist software engineers or developers in code review. Codacy is a useful tool for detecting security flaws and improving the safety of the code.
- AppScan : Used for testing of web applications during the development phase, with the goal of detecting security vulnerabilities, bugs, and anomalies before code is involved to production systems.
List of few Popular DAST Tools:
Deepfactor (www.deepfactor.io) is a futuristic Developer Security platform for cloud-native apps that enables you to discover, prioritize, and remediate application security risks early in the development and testing lifecycle as part of your organization’s Shift-Left (Shift-start) strategy.Deepfactor allows engineering teams to quickly discover and resolve security issues, supply chain risks, and compliance violations during development, without even having access to the software source code.
It is a great tool for all web application security needs. This web vulnerability scanning solution has vulnerability scanning, vulnerability assessment, and vulnerability management capabilities. The Netsparker scanner used to detect vulnerabilities in a wide range of modern and custom web applications.
Acunetix is the best option for protecting your websites, web applications, and APIs. It is able to detect 6500 different types of threats such as SQL injections, XSS, and weak passwords, among others. It scans various sub forms using advanced macro recording technology.
For completely software risk detection, IndusfaceWAS is the best choice. It is planned for in-depth scanning. It guarantees complete coverage of the OWASP Top 10 vulnerabilities. It can usually detect vulnerabilities as soon as they appear as a result of application modifications.
It is best use for an online vulnerability scanner for websites. It provides simpler reports. It will allow us to select a weekly or monthly scan. It is compliant with OWASP, XSS, SQL, and an SSL test. It supports cross-site scripting, SQL Injection, cross-site request forgery, malware, and over 3000 other tests.
- PortSwiggerBest for having a wide range of security tools as well as the ability to identify the most recent vulnerability. PortSwigger comes in three varieties: Enterprise, Professional, and Community. Enterprise edition is best for businesses and software companies because it offers automated protection.
As we see more than 70% of World’s population has now access to the Internet, the impact of security attacks on Web applications are substantially higher than ever in the current times we live in. In this article we wanted to highlight the top 10 Security issues as per the 2021 OWASP report and also discussed few tools that can help testing these risks. With the advancements in technologies like AI/ML, the modern SAST and DAST tools can accelerate the detection and remediation of these security issues and ensure secured enterprise applications/products are deployed in production to ensure the data protection and overall app security. Hope you find this article helpful.