App Security | OWASP 2021- New Entries
- Get link
- X
- Other Apps
What is OWASP?
OWASP (Open Web Application Security Project) is an international non-profit organization dedicated to improving software security through open source initiatives and community education.
OWASP Supports the building of impactful projects, Develops & nurtures communities through events and chapter meetings worldwide and
Provides educational publications & resources
What is OWASP top 10?
The OWASP Top 10 is a regularly-updated report outlining security concerns for web application security, focusing on the 10 most critical risks.
read more in detail at official site: https://owasp.org/Top10/
Which are new entry in 2021 list of top 10
1. Insecure design:
“insecure design” are those vulnerabilities that exist due to lack of security implementation in an application at the time of development. When security best practices are not considered during application design phase it might result in this vulnerability.
Secure design of an application contains the evaluation of threats and testing which verifies that the coded application is very secure and doesn’t have any security vulnerabilities. To exploit insecure design, attackers can threat model workflows in the software to reveal a broad range of vulnerabilities and weaknesses.
How to Prevent:
OWASP recommends that organizations undertake threat modeling to identify vulnerabilities in the design phase.
By implementing threat models at the design phase, security starts to be baked into new code. Furthermore, through automation and access to comprehensive standard libraries, threat models can be run throughout the secure development lifecycle, ensuring that new vulnerabilities are continuously mitigated by countermeasures.
2. Software and Data integrity failure
Software and data integrity failures relate to code and infrastructure that does not protect against integrity violations. An example of this is where an application relies upon plugins, libraries, or modules from untrusted sources, repositories, and content delivery networks (CDNs). Attackers can exploit this to potentially introduce unauthorized access, malicious code, or system compromise as part of the following attacks: Cache Poisoning, Code injection, Command execution, Denial of Service
How to Prevent:
Use digital signatures to verify software integrity
Ensure libraries and dependencies, such as npm or Maven, are consuming trusted repositories.
Ensure that your CI/CD pipeline has proper segregation, configuration, and access control
3. Server side request forgery(SSRF*)
SSRF flaws occur whenever a web application is fetching a remote resource without validating the user-supplied URL. It allows an attacker to coerce the application to send a crafted request to an unexpected destination
A successful SSRF attack can result in unauthorized actions or access to data within the organization, either in the vulnerable application itself or on other back-end systems that the application can communicate with
How to prevent from application:
- Sanitize and validate all client-supplied input data
- Enforce the URL schema, port, and destination with a positive allow list
- Do not send raw responses to clients
- Disable HTTP redirections
- Get link
- X
- Other Apps
