Security expert and Veracode CTO Chris Wysopal identified broken access control as a security risk in 1996. OWASP just pushed that software security problem to the first spot in the 2021 update of its top 10 list. Despite the longevity of that risk, Wysopal describes the latest list as on the leading edge of security best practices with the emphasis on monitoring the software supply chain at the macro (external APIs and software) and micro levels (libraries).
“The best evidence of this is that the extremely slow moving federal government is going to hold vendors accountable for delivering secure software,” he said.
He listed NIST’s definition of critical software, the setting of minimum standards for suppliers and IoT and software labeling as important elements of President Joe Biden’s recent executive order on software security.
“These changes make it so that a purchaser of software can easily see what’s been done to secure their software,” he said.
Wysopal describes the executive order as a long overdue step in the right direction that will strengthen the security of federal agencies and their software supply chain.
“As the government continues to get more detailed about requirements, ratings and labeling, it should share that information with the private sector to ensure that ALL software is held to the same standards,” he said.
In the OWASP Top 10: 2021, Broken Access Control moved into first place, up from fifth place on the 2017 Top 10 list. Also, there are three new categories, four categories with naming and scoping changes and some consolidation.
- Broken access control
- Cryptographic failure (previously known as sensitive data exposure)
- Insecure design
- Security misconfiguration
- Vulnerable and outdated components
- Identification and authentication failures
- Software and data integrity failures
- Security logging and monitoring failures (previously insufficient logging and monitoring)
- Server-side request forgery
OWASP notes that some of the category names have changed to focus on the root cause over the symptom.
How to interpret the new list
Sean Wright, principal application security engineer at Immersive Labs, said the updated list shows how far appsec has come and how far the work still needs to go.
“Half of the categories in the new list have appeared in every single list since 2003 in some shape or form, so 18 years of technological developments, experiments and learnings has not been enough to remedy these flaws,” he said. “This means we need to change our approach to application security.”
Wright said adopting a hybrid human/technology approach to resolving these vulnerabilities will improve application security and, hopefully, resolve some of the most impactful issues from the last two decades.
John Andrews, vice president of Global Channel at Invicti, said that the new OWASP Top 10 list takes a much broader view than previous editions, which sends a clear message that finding and fixing vulnerabilities is only one part of modern application security.
Andrews said new categories like Insecure Design and Software and Data Integrity Failures reinforce two major industry trends: the move to perform security testing from the early stages of development (shift left) and the recent focus on software supply chain security.
“The flip side of this new big-picture approach is that, unlike early editions, the Top 10 for 2021 is no longer a simple vulnerability testing checklist, which may limit its usefulness as an unofficial but widely used application security standard,” he said.
Prioritizing fixes for the top 10 risks
Injection issues and misconfiguration can usually be fixed with a few lines of code, but flaws like Insecure Design can take days or weeks to fix, Wysopal said.
“This is why it is important to catch some flaws at the design stage or earlier in development when they can be fixed much more easily,” he said.
Wysopal would prioritize fixing #1 broken access control, #3 injection, and #6 vulnerable and outdated components because those flaws are some of the easiest for attackers to find and exploit.
DevOps and pipeline automation should drive the evolution of security as code (SaC), compliance as code (CaC), and infrastructure as code (IaC), Wysopal said, as the next evolution appsec.
“In a nutshell, everything that can be code will be code, meaning changes will be introduced only when new code is pushed into production,” he said. “This evolution will dramatically ease the burden on development teams to drive adoption of security tools, making software security second nature.”
Wysopal predicts that this approach to software will remove friction from the development process, lower costs and improve compliance with regulations.