OWASP Top 10 Meaning and Significance.
The Open Web Application Security Project (OWASP) is a nonprofit foundation dedicated to improving software security. It operates under an “open community” model, which means that anyone can participate in and contribute to OWASP-related online chats, projects, and more. For everything from online tools and videos to forums and events, the OWASP ensures that its offerings remain free and easily accessible through its website.
The OWASP Top 10 provides rankings of—and remediation guidance for—the top 10 most critical web application security risks. Leveraging the extensive knowledge and experience of the OWASP’s open community contributors, the report is based on a consensus among security experts from around the world. Risks are ranked according to the frequency of discovered security defects, the severity of the uncovered vulnerabilities, and the magnitude of their potential impacts. The purpose of the report is to offer developers and web application security professionals insight into the most prevalent security risks so that they may fold the report’s findings and recommendations into their own security practices, thereby minimizing the presence of known risks in their applications.
The OWASP Top 10 2022 features the top cyber risks/threats/vulnerabilities from the security perspective on the following basis:
- 1. The frequency.
- 2. The intensity of damage caused.
- 3. Number of people impacted.
- 4. The magnitude of the impact.
1. Broken Access Control:
A broken access control vulnerability is a type of security flaw that allows an unauthorized user access to restricted resources. By exploiting this vulnerability, attackers can circumvent standard security procedures and gain unauthorized access to sensitive information or systems.
2. Cryptographic failures:
As per OWASP, cryptographic failure is a symptom instead of a cause. Any failure responsible for the exposure of sensitive and critical data to an unauthorized entity can be considered a cryptographic failure.
3. Injections:
The injection is a database attack against a website that uses structured query language (SQL) to obtain information or perform activities that would ordinarily need an authenticated user account. These codes are difficult for the program to interpret from its own code, allowing attackers to conduct injection attacks to gain access to protected areas and sensitive data masquerading as trusted users. Injections include SQL injections, command injections, CRLF injections, and LDAP injections, etc.
4. Insecure design:
Insecure design is the lack of security controls being integrated into the application throughout the development cycle. This can have wide-ranging and deep-rooted security consequences as the application itself are not designed with security in mind. 5. Security Misconfiguration:
Missing appropriate security hardening across any part of the application stack or improperly configured permissions on cloud services. Unnecessary features are enabled or installed (e.g., unnecessary ports, services, pages, accounts, or privileges). Default accounts and their passwords are still enabled and unchanged.
6. Vulnerable & outdated components:
A vulnerable and outdated component is a software component that is no longer supported by the developer, making it susceptible to security vulnerabilities. Many times, a component has known vulnerabilities that don't get fixed due to a lack of maintenance.
7. Identification & authentication failure:
Identification and authentication failures can occur when functions related to a user's identity, authentication, or session management are not implemented correctly or not adequately protected by an application.
8. Software & data integrity failures:
Software and data integrity failures relate to code and infrastructure that do not protect against integrity violations. An example of this is where an application relies upon plugins, libraries, or modules from untrusted sources, repositories, and content delivery networks (CDNs).
OWASP Top 10 Meaning and Significance.
The Open Web Application Security Project (OWASP) is a nonprofit foundation dedicated to improving software security. It operates under an “open community” model, which means that anyone can participate in and contribute to OWASP-related online chats, projects, and more. For everything from online tools and videos to forums and events, the OWASP ensures that its offerings remain free and easily accessible through its website.
The OWASP Top 10 provides rankings of—and remediation guidance for—the top 10 most critical web application security risks. Leveraging the extensive knowledge and experience of the OWASP’s open community contributors, the report is based on a consensus among security experts from around the world. Risks are ranked according to the frequency of discovered security defects, the severity of the uncovered vulnerabilities, and the magnitude of their potential impacts. The purpose of the report is to offer developers and web application security professionals insight into the most prevalent security risks so that they may fold the report’s findings and recommendations into their own security practices, thereby minimizing the presence of known risks in their applications.
The OWASP Top 10 2022 features the top cyber risks/threats/vulnerabilities from the security perspective on the following basis:
- 1. The frequency.
- 2. The intensity of damage caused.
- 3. Number of people impacted.
- 4. The magnitude of the impact.
1. Broken Access Control:
A broken access control vulnerability is a type of security flaw that allows an unauthorized user access to restricted resources. By exploiting this vulnerability, attackers can circumvent standard security procedures and gain unauthorized access to sensitive information or systems.
2. Cryptographic failures:
As per OWASP, cryptographic failure is a symptom instead of a cause. Any failure responsible for the exposure of sensitive and critical data to an unauthorized entity can be considered a cryptographic failure.
3. Injections:
The injection is a database attack against a website that uses structured query language (SQL) to obtain information or perform activities that would ordinarily need an authenticated user account. These codes are difficult for the program to interpret from its own code, allowing attackers to conduct injection attacks to gain access to protected areas and sensitive data masquerading as trusted users. Injections include SQL injections, command injections, CRLF injections, and LDAP injections, etc.
4. Insecure design:
Insecure design is the lack of security controls being integrated into the application throughout the development cycle. This can have wide-ranging and deep-rooted security consequences as the application itself are not designed with security in mind. 5. Security Misconfiguration:
Missing appropriate security hardening across any part of the application stack or improperly configured permissions on cloud services. Unnecessary features are enabled or installed (e.g., unnecessary ports, services, pages, accounts, or privileges). Default accounts and their passwords are still enabled and unchanged.
6. Vulnerable & outdated components:
A vulnerable and outdated component is a software component that is no longer supported by the developer, making it susceptible to security vulnerabilities. Many times, a component has known vulnerabilities that don't get fixed due to a lack of maintenance.
7. Identification & authentication failure:
Identification and authentication failures can occur when functions related to a user's identity, authentication, or session management are not implemented correctly or not adequately protected by an application.
8. Software & data integrity failures:
Software and data integrity failures relate to code and infrastructure that do not protect against integrity violations. An example of this is where an application relies upon plugins, libraries, or modules from untrusted sources, repositories, and content delivery networks (CDNs).
1. Broken Access Control:
A broken access control vulnerability is a type of security flaw that allows an unauthorized user access to restricted resources. By exploiting this vulnerability, attackers can circumvent standard security procedures and gain unauthorized access to sensitive information or systems.
2. Cryptographic failures:
As per OWASP, cryptographic failure is a symptom instead of a cause. Any failure responsible for the exposure of sensitive and critical data to an unauthorized entity can be considered a cryptographic failure.
3. Injections:
4. Insecure design:
Insecure design is the lack of security controls being integrated into the application throughout the development cycle. This can have wide-ranging and deep-rooted security consequences as the application itself are not designed with security in mind.
5. Security Misconfiguration:
Missing appropriate security hardening across any part of the application stack or improperly configured permissions on cloud services. Unnecessary features are enabled or installed (e.g., unnecessary ports, services, pages, accounts, or privileges). Default accounts and their passwords are still enabled and unchanged.
6. Vulnerable & outdated components:
7. Identification & authentication failure:
Identification and authentication failures can occur when functions related to a user's identity, authentication, or session management are not implemented correctly or not adequately protected by an application.
8. Software & data integrity failures:
Software and data integrity failures relate to code and infrastructure that do not protect against integrity violations. An example of this is where an application relies upon plugins, libraries, or modules from untrusted sources, repositories, and content delivery networks (CDNs).
9. Security logging and monitoring failures:
A lack of tracking in the presence of suspicious actions and occurrences can expand gaps in time that go unmonitored, allowing security breaches to go unnoticed for longer than they would with better logging. This OWASP Top 10 2021 section is meant to aid in the identification, escalation, and resolution of recent breaches. Detection of a security breach is unlikely without recording and monitoring.
10. Security logging and monitoring failures:
Server-side request forgery is a type of computer security exploit where an attacker abuses the functionality of a server causing it to access or manipulate information in the realm of that server that would otherwise not be directly accessible to the attacker.
Comments
Post a Comment