The OWASP® Foundation (The Open Web Application Security Project) is a nonprofit organisation helping to improve software security. The organisation offers community-led open source software projects and has tens of thousands of members in hundreds of chapters worldwide. OWASP also hosts local and global conferences.
Widely used and very popular is the OWASP Top 10, which is a standard awareness document for developers and web application security experts that outlines the most critical web application security risks and vulnerabilities. The number of web applications that have at least one OWASP vulnerability could be as high as 68%, with Broken Access Controls being number one.
What are the OWASP Top 10, 2021
1. Broken Access Control – Access controls enforce user privileges, preventing them from acting outside of their permissions. Failures can lead to unauthorised access, modification, release, and destruction of data or functions outside the user’s intended privileges.
2. Cryptographic Failures – Many web applications and their APIs do not impose strong encryption practices to properly protect sensitive corporate and customer data. This gives attackers an opportunity to intercept or modify data for criminal purposes. Strong encryption must be imposed when data is at rest or in transit.
3. Injection – Attackers will leverage flaws such as SQL, NoSQL, OS, and LDAP injection to try and trick the interpreter into allowing them to access data without proper authorization or execute unintended commands.
4. Insecure Design – In the design and development lifecycle of software and applications, inadequately budget for time and security requirements can allow critical vulnerabilities, to pass through into live environments, leaving attackers to find attack vectors the team never anticipated or addressed.
5. Security Misconfiguration – Ad hoc and insufficient configuration of software and infrastructure can lead to admin or root access accounts being left in place, exposed cloud storage, misconfigured HTTP headers, verbose error messages that leave sensitive information exposed and more. As a best practice all operating systems, frameworks, libraries, and applications must be properly configured, patched, and upgraded – though thats not always possible. We’ll also address this.
6. Vulnerable and Outdated Components – Vulnerable components, such as libraries, frameworks, and other software modules often lead to severe instances of data loss or server takeover. The inability to address CVE’s (Common Vulnerabilities and Exposures) undermines application security by enabling various attack vectors.
7. Identification and Authentication Failures – When incorrectly implemented, functions related to authentication and session management allow attackers to compromise session tokens, passwords, keys, and user credentials. Multi-Factor authentication is one of the easiest ways to prevent an attacker from assuming a users identity.
8. Software and Data Integrity Failures – Software and data integrity failures happen when applications rely on libraries and plugins from untrusted sources and insecure deployment pipelines allow these to be introduced without integrity check and create the potential for unauthorized access or system compromise.
9. Security Logging and Monitoring Failures – No or poor logging and monitoring pair with inadequate tools for incident response can let a breach become pervasive allowing attackers to persist, traverse to to more systems, and tamper with or extract data. The average time to detect a breach is over 200 days. Fine-grained auditing and logging capabilities can substantially improve that.
10. Server-Side Request Forgery – Server-Side Request Forgery (SSRF) flaws allow attackers to trick applications into fetching a remote resource from an unexpected destination without validating it. Unfortunately this attack can be perpetrated even when protected by a conventional firewall, VPN, or another type of network access control list (ACL).
Zero Trust for Web Application Security
Agilicus AnyX is designed to eliminate an attacker’s visibility into the potential OWASP Top 10 web application vulnerabilities that could exist in a given application as resources are completely hidden from non-authenticated users. This is achieved with the patented Identity Aware Web Application Firewall which acts as a proxy server (reverse proxy) and protects web applications and resources by only allowing access on the basis of authenticated identity.
Organisations can also leverage this component of the Agilicus AnyX platform to enhance security on the client side by modifying server headers or enforcing SSL (Secure Socket Layer) on all traffic. As a result, the Identity Aware Web Application Firewall ensures all traffic is encrypted and that users are able to access designated resources from anywhere without making them visible on the public internet.
The Agilicus AnyX platform features that specifically protect against the OWASP Top 10 web application vulnerabilities and deliver a Zero Trust Architecture platform include:
Role-Based Access Controls – Centralise the management of users and their roles to enact, strict least privilege access through fine-grained authorisation. Prevent (1) Broken Access Controls, (2) Cryptographic Failures, and (7) Identification and Authentication Failures.
Detailed Audit Trails – All users, connections and actions audited. No more (9) Security Logging and Monitoring Failures that leave you unsure of who did what for how long .
Identity Aware Web Application Firewall – Blocks malicious and unauthenticated traffic, while protecting against (3) Injection (5) Security Misconfiguration (6) Vulnerable and Outdated Components (8) Software and Data Integrity Failures, (4) Insecure Design, (10) Server-side Request Forgery.
Multi-Factor Authentication – Second factor authentication requirements are built right into the login flow helping to address (7) Identification and Authentication Failures.
Organisations face what seems like an endless number of cyber threats and that makes finding the right protection difficult. The Agilicus AnyX platform makes it easy and affordable for organisations to adopt a Zero Trust Architecture framework and take control of their ecosystem of applications to improve security and protect against the OWASP Top 10.