OWASP Top 10–2021 : What does it mean for App Sec and Secure Development ?
OWASP finally published the draft OWASP Top 10 2021, this was long overdue since the last set was published in 2017. Nevertheless, the new draft list is an attempt by the community to align the secure development and application security practices.
Quick Overview
To begin with the new list has 3 new entrants, 5 categories moving upwards and 2 existing categories getting combined with broader scope categories. The three new categories include ‘Insecure Design’, ‘Software and Data Integrity Failures’, and a group for ‘Server-Side Request Forgery (SSRF)’ attacks. 2017 ‘XXE’ section has now been merged with 2021’s Security Misconfiguration category while ‘XSS’ has been added to the injection section and ‘Insecure Deserialization’ is now part of ‘Software and Data Integrity Failures’.
The Thought Process
If you read through the peer review page at owasp.org you realize the sheer volume of effort that has gone behind this list, it elaborates the two-pronged process which was followed to categorize and rank this list interestingly it does emphasize that is more data driven than before but not blindly data driven. Out of the ten categories, eight were selected based on the collected data while two categories were shortlisted based on a High-Level Survey done in the industry.
App Sec and Secure Development
Going under the skin of the 2021 OWASP top 10 (draft) list it is very much evident that it is an effort to align the application security practices and the secure development practices. The Secure development practices have been so far adopted on a best effort basis by various software and product development organization. It is known by some other names like Secure SDLC, Shift Left Strategy, Secure Design and Development but essentially all of these talks about employing various controls as part of the stages and each control is some how aligned to the OWASP Top 10. As an example, for organization employing SAST using various static source code analysis tools, the tools are essential evaluating the code against the vulnerabilities defined in OWASP Top 10 Similarly incorporating DAST during the testing phase also benchmarks the running software against the security issues as defined in OWASP Top 10.
Incorporating the category of Insecure Design now extends the OWASP Top 10 to the design phase of software product development, in which practices like Security Design Review, Threat Modeling and Risk Assessment will fill in as a Key step towards the mitigation of risks associated with Insecure Design.
As already mentioned, such activities like Security design review and Threat Modeling were done primarily on a best effort basis (also getting skipped at times) and focus was more on running the developed product through controls like SAST, DAST and OSS Vulnerability scans and evaluating them against the OWASP Top 10. But now with the introduction of A04:2021 Insecure Design, these steps are critical to the identification and subsequent mitigation of risks associated with an Insecure design.
For organizations to adopt this will need them to focus on getting a working group in place which includes the Product Security Architect, the Security Champion and other Key Resources of product development team like Architects, Data Engineers, Lead Implementers etc. The expectation out of this working group will be to undertake threat modeling or security design review activities and provide the necessary inputs to the Product / Solution Stakeholders like Clients, Product Managers, and product owners so that they understand the associated risks with any kind of insecurity in the design and subsequently they work together to identify the associated risk level, required / possible mitigations and the residual risk. All these parameters eventually allow the stakeholder to take a well-informed decision.
Conclusion
The threat landscape is changing rapidly, with groups of state sponsored actors and professional hackers working in tandem to break systems apart. The though process behind the new draft OWASP Top 10 2021 is a very good step towards an equally evolving Security landscape where the focus shifts from identification (and subsequent mitigation) to pre-emptive prevention of security flaws by means of a strong and secure product design with an equal focus towards aligning App Sec and Secure Development activities in software design and development.
