OWASP presents the draft Top 6 of the main dawn for 2021


OWASP top 6 Web Application Security Web -

The Top 10 list is an extensive guide used on today's web application security threats. The Open Source Web Application Security Project (OWASP) has released its draft Top 10 2021 list that reveals a change in the way it ranks modern threats.  techqueer

The draft report, available online (https://owasp.org/Top10/), contains important changes to the way the nonprofit categorizes current threats from web applications, keeping in mind that the list It has not been updated since 2017.

OWASP has updated the methodology used to generate the Top 10 list. Eight out of 10 categories are data-driven and two have been selected based on industry survey responses.

When the organization analyzes the threat information, provided by cybersecurity companies, there are specific data factors that are used to generate the Top 10 list. These include software and hardware mapping based on Common Weaknesses Enumeration (CWE), the percentage of applications vulnerable to a particular CWE and its impact on organizations.

OWASP takes into account the exploit weight and average metrics of a vulnerability, based on CVSSv2 and CVSSv3 (Common Vulnerability Scoring System) scores, and the total number of applications that have CWEs assigned to CWEs assigned to Total Number of Vulnerabilities and common exposures (CVD) attributable to a particular type of hazard.

Three new categories have been included: "Insecure Design", "Software and Data Integrity Failures" and a group of "Server Side Request Forgery (SSRF)" attacks.

The "External XML Entities (XXE)" category of 2017 becomes part of the "Security misconfiguration" category of 2021. On the other hand, "Cross-Site Scripting (XSS)" has been added to the "Injection" section. and "Insecure deserialization" is now part of "Software and data integrity failures."

OWASP scrolls left

The inclusion of "Insecure Design" and "Software and Data Integrity Failures" shows how the software industry continues to shift to the left (Shifts Left) by focusing more on secure design and architecture as well as how.

“Often times, secure design and threat modeling are overlooked due to the speed of actual development. It is also important to finally see OWASP highlighting software development security and process CI / CD integration as another focus area to keep in mind, ”said Tom Eston, Director of Application Security Practice at Bishop Fox.

Top 6 OWASP: The Complete List

 

1. A01: 2021-Access control interrupted: 34 CWE. Access control vulnerabilities include elevation of privilege, malicious URL modification, access control bypass, incorrect CORS settings, and primary key manipulation.

 


2. A02: 2021-Cryptographic failures: 29 CWE. This includes security flaws when data is in transit or at rest, such as implementation of weak cryptographic algorithms, poor or lax key generation, failure to implement encryption or verify certificates, and transmission of unencrypted data.

3. A03: 2021-Injection: 33 CWE. Common injections affect SQL, NoSQL, LDAP and operating system control, and can be caused by cleanup failures, XSS vulnerabilities, and lack of file path protection.

4. A04: 2021-Unsafe design: 40 CWE. Unsafe design elements vary widely, but OWASP generally describes them as "missing or ineffective control design." Areas of concern include the lack of protection of stored data, problems with logic programming, and the display of content that reveals sensitive information.

5. A05: 2021-Incorrect security settings: 20 CWE. Applications can be considered vulnerable if they lack security hardening, if there are unnecessary features such as an open hand when it comes to privileges, if default accounts are kept active, and if there are security features that are not configured correctly.

6. A06: 2021-Vulnerable and obsolete components: three CWEs. This category focuses on client-side and server-side components, component maintenance failures,

Comments

Post a Comment

Popular posts from this blog

The challenge for companies in 2021, Data protection and Cybersecurity Privacy

Image
Talking about the internet as the great channel of communication or the stage where a multitude of business transactions take place may not seem like a new thing in mid-2021, but it should be remembered due to the big turnaround the company has given. due to the coronavirus pandemic. . The Covid 19 has demonstrated the vulnerability of the world's population to defend themselves against invisible threats and the defense capacity as deteriorated is closely linked precisely to the process of globalization. During 2020, we have participated in a new reinvention of the Internet as a stage, cyberspace, where people and companies information, economic transactions, conversations, business, knowledge ... All of this represents a significant benefit for people and businesses, but it also involves its risks, hence the need to promote powerful data protection systems and cybersecurity networks that keep cyberattacks, attempted fraud and theft off. information theft. Data protection ...
Read more

Embedded systems: examples of human use

Image
Computer chip processor hardware icon Embedded systems, as we always say at Tribalyte Technologies, even if we don't realize it, are part of our lives. In fact, without them today we shouldn't have many of the conveniences that technology has brought to us over the past sixty years lifebloombeauty . What is an embedded system? For those who do not yet knows the world of "embedded", in a very summary way, one could say that an embedded system, also called "embedded" or "embedded", is a type of electronic system which, with a microcontroller or microprocessor - your "brain" - is usually found inside devices and products which, thanks to software (possibly developed in C / C ++ and Linux) can perform specific functions. A classic example of an on-board system is the device of a modern washing machine. To do our laundry it is necessary to select our washing program, that is to say press a few buttons which, in turn, with software, wil...
Read more

follow. it, the alternative to Feedburner to have more recurring readers Meal

Image
FeedBurner has been advertising it for a few months. In July 2021 it will switch to "maintenance" mode to improve its infrastructure. Existing feeds will continue to work 24/7 and users will be able to download past email subscriptions and usage statistics.  tc bolts Users will still be able to create new accounts and register new feeds. Basic feed management features will continue to be supported, such as the ability to edit your feed URL, source feed, title, and podcast metadata. However, some existing features, such as email subscriptions and detailed analytics, will no longer work. If you want to continue using email subscriptions after the June transition, you will need to download the email subscription data to migrate to a new service. This data will also be available for download after July 2021. One of the services to consider is follow.it, which is promoted as a platform for tracking websites with feeds created according to user needs and multiple channel ...
Read more