VIDEO
HIGHLIGHT
Log InSign up
2021 OWASP Top Ten Overview
SummaryTranscriptChat

2021 OWASP Top Ten Overview

Introduction to OWASP Top 10

Overview of OWASP and Its Purpose

  • John Wagner introduces a new video series on the OWASP Top 10, which is an awareness document released by the Open Web Application Security Project (OWASP).
  • The last list was published in 2017, and it serves primarily as an awareness tool rather than a strict security standard.

Distinction Between Awareness Document and Standards

  • Organizations should not treat the OWASP Top 10 as their own top ten risks; instead, it should be used for general awareness.
  • For organizations seeking a verifiable security standard, they should refer to the Application Security Verification Standard (ASVS), also provided by OWASP.

Methodology Behind the 2021 List

Data-Driven Approach

  • The 2021 version of the OWASP Top 10 is more data-driven than previous iterations but does not rely solely on data.
  • Eight categories are derived from contributed data while two are based on surveys conducted by OWASP.

Previous Data Collection Efforts

  • In past versions, OWASP focused on approximately 30 Common Weakness Enumerations (CWEs), which are managed by MITRE.
  • Organizations typically concentrated on these CWEs without suggesting additional weaknesses for consideration.

Changes in Data Collection for 2021

Expanded CWE Focus

  • For the current iteration, OWASP expanded its focus from about 30 CWEs to nearly 400 CWEs based on open data requests.

Types of CWEs Analyzed

  • The analysis distinguishes between root cause types of CWEs (e.g., cryptographic failures, misconfigurations) and symptom types (e.g., exposed sensitive data).

Data Contributions and Analysis

Comprehensive Dataset

  • The data collected accounted for over 500,000 applications, marking it as the largest application security dataset ever analyzed by OWASP.

Key Factors in Generating the List

Security Risks and the Top Ten Vulnerabilities

Understanding Security Risks

  • The discussion begins with an exploration of security risks, focusing on identifying problems and their technical impacts. The analysis involves mining data to understand root causes related to Common Weakness Enumeration (CWEs) and assessing exploitability of these risks.
  • A thorough examination is conducted to evaluate the potential impact of identified security risks, leading to a structured approach in determining the most critical vulnerabilities.

Overview of the 2021 Top Ten Vulnerabilities

  • The speaker mentions that they will create individual videos for each vulnerability in the top ten list, encouraging viewers to stay tuned for detailed discussions on each item. This indicates a commitment to providing comprehensive insights into each vulnerability.
  • Notably, there are changes from the 2017 list: three new categories have been added, four categories have undergone naming and scoping changes, and some consolidations have occurred between versions. This highlights an evolving understanding of security threats over time.

The 2021 Top Ten Vulnerabilities List

  1. Broken Access Control - Identified as the most critical vulnerability.
  1. Cryptographic Failures - Second on the list, emphasizing issues with encryption practices.
  1. Injection - A common attack vector that remains a significant concern.
  1. Insecure Design - Reflecting flaws in system architecture or design principles.
  1. Security Misconfiguration - Highlighting errors in system setup that can lead to vulnerabilities.
  1. Vulnerable and Outdated Components - Stresses the importance of keeping software up-to-date.
  1. Identification and Authentication Failures - Issues related to user verification processes.
  1. Software and Data Integrity Failures - Concerns about maintaining accurate data integrity.
  1. Security Logging and Monitoring Failures - Emphasizes gaps in tracking security events effectively.
  1. Server-Side Request Forgery (SSRF) - A specific type of attack that manipulates server requests for malicious purposes.

Each item represents a crucial area where organizations must focus their cybersecurity efforts moving forward, as discussed by the speaker at various timestamps throughout this segment: , .

Conclusion

Playlists: 2021 OWASP Top Ten
Video description

#2021 #OWASP #Top #Ten Overview. What is the "top ten" and how is the list compiled? John starts this video series with an explanation of the OWASP Top Ten and how the list is made. Follow along for a video on each of the Top Ten risks! Here's the list for 2021: 1. Broken Access Control 2. Cryptographic Failures 3. Injection 4. Insecure Design 5. Security Misconfiguration 6. Vulnerable and Outdated Components 7. Identification and Authentication Failures 8. Software and Data Integrity Failures 9. Security Logging and Monitoring Failures 10. Server Side Request Forgery (SSRF) Video 1 / 11 ⬇️⬇️⬇️ JOIN THE COMMUNITY! ⬇️⬇️⬇️ DevCentral is an online community of technical peers dedicated to learning, exchanging ideas, and solving problems - together. Find all our platform links ⬇️ and follow our Community Evangelists! 👋 ➡️ DEVCENTRAL: https://community.f5.com ➡️ YOUTUBE: https://youtube.com/devcentral ➡️ LINKEDIN: https://www.linkedin.com/showcase/f5-devcentral/ ➡️ TWITTER: https://twitter.com/devcentral Your Community Evangelists: 👋 Jason Rahm: https://www.linkedin.com/in/jrahm/ | https://twitter.com/jasonrahm 👋 Buu Lam: https://www.linkedin.com/in/buulam/ | https://twitter.com/buulam 👋 Aubrey King: https://www.linkedin.com/in/aubreyking | https://twitter.com/aubreykingf5