The Open Web Application Security Project (OWASP) publishes its Top 10 list as the definitive reference for web application security risks. Understanding these vulnerabilities is essential for any organization that operates web applications.
A01:2021 - Broken Access Control moves up from the fifth position to the most critical web application security risk. 94% of applications were tested for some form of broken access control. Access control enforces policy such that users cannot act outside their intended permissions.
A02:2021 - Cryptographic Failures shifts up one position to #2, previously known as Sensitive Data Exposure. The focus is on failures related to cryptography which often leads to sensitive data exposure. Notable Common Weakness Enumerations (CWEs) include CWE-259: Use of Hard-coded Password, CWE-327: Broken or Risky Crypto Algorithm, and CWE-331 Insufficient Entropy.
A03:2021 - Injection slides down to the third position. 94% of the applications were tested for some form of injection. Cross-site Scripting is now part of this category. Notable CWEs included are CWE-79: Cross-site Scripting, CWE-89: SQL Injection, and CWE-73: External Control of File Name or Path.
A04:2021 - Insecure Design is a new category for 2021, with a focus on risks related to design flaws. If we genuinely want to "move left" as an industry, it calls for more use of threat modeling, secure design patterns and principles, and reference architectures.
A05:2021 - Security Misconfiguration moves up from #6 in the previous edition. 90% of applications were tested for some form of misconfiguration. With more shifts into highly configurable software, it's not surprising to see this category move up.
Hackator automatically scans for all OWASP Top 10 vulnerabilities and provides detailed remediation guidance in every security report. Start your free scan today at hackator.com.