The first top 10 list of OWASP security testing was released in 2003. It has been updated several times over the years. The current version of top 10 list of OWASP security testing was released in 2021 which made transition in the list on the basis of a comprehensive study that looked at more than 50,000 applications and analyzed some 2.3 million vulnerabilities.
1. Broken Access Control
From 2017 Top 10 Web security list, Broken Access Control has transitioned from the fifth position to first in 2021 list since 94% of applications were found to have this vulnerability. Broken access control refers to a set of security flaws in which permission checks are insufficient to prevent unauthorized users from accessing data or executing operations. Access control can often be compromised due to a lack of security procedures such as authorization checks.
2. Cryptographic failures
Cryptographic Failure was once known as Sensitive Data Exposure. From 2017 Top 10 Web security list it has transitioned from third position to second position on the 2021 list. It focuses on cryptographic flaws, which frequently lead to the disclosure of sensitive information or system compromise.
3. Injection
Injection has dropped its position from first to third place in 2021 list. Injection occurs when an untrusted user data is supplied to the web application Pentesting as part of a command or query. XSS from 7th position in 2017’s list has been merged under Injection.
SQL injections, Cross-Site Scripting (XSS), NoSQL injections, code injections, OS command injections, host header injections, and other injection attacks are the most common.
4. Insecure Design
Insecure Design is the newly added category in 2021 list. The risks associated with design flaws that lead to weak security controls are highlighted in this list. It reflects the industry’s increased emphasis on developing apps that are secure by design.
5. Security Misconfiguration
From 2017 Top 10 Web security list, it has transitioned from sixth position to fifth position on 2021 list with inclusion of the former category for XML External Entities (XXE). This indicates a lack of security hardening across the stack. It can infect network-attached devices, databases, web and application servers, and containers, among other places in the system.
6. Vulnerable and outdated components
Formerly named as “Using Components with Known Vulnerabilities” is now known as Vulnerable and outdated components has received sixth position in 2021 risk category list. Unsupported and obsolete components, software, libraries, frameworks, and other components lead to this risk. Applications that are not built or used using the most recent/updated versions of components are vulnerable to attacks.
7. Identification and authentication failures
Formerly named as “Broken Authentication” faced a big fall from second position to seventh over 3 years of time. Attackers may be able to compromise passwords, security keys, or session tokens and permanently or temporarily assume the identities and permissions of other users if apps improperly execute functions related to session management or user authentication.
8. Software and data integrity failures
A new risk category called Software and data integrity failures; will put an emphasis on making assumptions about software upgrades, critical data, and CI/CD processes without verifying their integrity. Insecure Deserialization has been added to this category.
9. Security logging and monitoring failures
Formerly named as “Using Components with Known Vulnerabilities” now termed as “Security logging and monitoring failures” positions on ninth. This aids companies in detecting and analyzing security incidents in real time. This category includes errors in detecting, escalating, and responding to current breaches. Without logging and monitoring, it is impossible to discover breaches.
10. Server-Side Request Forgery
Server-Side Request Forgery is newly added risk category in 2021 list. This permits users to access data from remote resources using URLs that have not been validated by the application. An attacker can exploit this vulnerability to internal port scan, DoS attack, and fetching the internal metadata of the application.
Our web application security protects your site from all cyber threats. We have been safeguarding billions of online transactions across the globe. We use cyber security solutions to detect cyber risks with automated penetration testing methods. We have a certified team of virtual security experts who are well-familiar with using AI-based automated scanners.
Cyber Security Services Company || Cyber Security Professional Services || Cyber Security Solutions Company || Cyber Security Consulting || Cyber Security Consulting firms || Cyber security Service Provider || Best Security Testing Companies | Web Application Penetration Testing Service | Web Penetration Testing Services | Network penetration testing services | Security Testing Companies | Security Testing Services | Web Penetration Testing Company |Penetration Testing Companies | Penetration testing services |
- How Israel-Iran Cyber War Has Changed The Face Of Modern Warfare
- Understanding Task Hijacking in Android
- Top 10 Attacks And Vulnerabilities Of OWASP Mobile in 2022
- A Comprehensive Guide to OWASP Security Testing in 2022
- What is Web Application Penetration Testing Methodology
- 10 Types Of Cyber Attacks And How They Can Affect You in 2022
- What is Android app Pentesting in 2022- Detox Technologies
- How To Perform Security Testing Of Mobile Apps In 2022
- Top Reasons for using AI in Cyber Security
- How To Protect Yourself From Online Scammers In 2022
- 10 Warning Signs Of An Imminent Cyber Attack In 2022
- What Is Log4Shell? The Log4j Vulnerability Explained in 2022
- What Is Android App Pentesting Testing Methodology In 2022
0 Comments