6 Takeaways From the Changes in OWASP’s Top 10 Vulnerability Ranking


The last update to the OWASP Top 10 Vulnerability Ranking was in late 2017. Much has changed in the cyber threat landscape since then. A fresh round of updates to reflect the kind of risks and new cyber attacks organizations are dealing with appears to be in order.

In September this year, the update happened as the nonprofit Open Web Application Security Project refreshed the content of the OWASP Top 10 2021 website. The updated content greets visitors with a new graphic design and notes about the changes. A comparison of the 2017 and 2021 Top 10 sequential listing is also provided.

Presented below is a rundown of the most important points and inferences from the update made in the OWASP Top 10. There are crucial changes that depict the shift in priorities organizations should consider as they come up with their cybersecurity strategies.

Broken Access Control topping the list

The OWASP Top 10 update brings Broken Access Control to the top from its previous position of fifth. It is now regarded as the most serious web application security risk based on the data contributed to OWASP’s threat intelligence, which shows that 3.81 percent of apps tested had at least one Common Weakness Enumerations (CWEs). These details are in line with the notable rise of application security solutions including Runtime Application Self-Protection (RASP).

Application security defenses are crucial in addressing evolving and more aggressive CWEs. RASP, in particular, stands out for its potential to secure applications from within. It reduces app risks by plugging vulnerabilities and preventing bad actors from getting the opportunity to penetrate IT resources through security weaknesses. It is also remarkable for securing applications wherever they may be.

With more than 600 categories, the number of CWEs is quite hefty. These include buffer overflows, race conditions, hard-coded passwords, directory tree traversal errors, random numbers that are not exactly random thus regarded as insecure, as well as cross-site scripting (XSS), among others.

With the exponentially growing number of mobile devices, it is inevitable for the number of CWEs to similarly increase as more programs or apps are developed for these devices. The complexity and sheer volume of problems are also elevate, so it wouldn’t come as a surprise for OWASP to consider Broken Access Control as the leading

Cryptographic failures moving a notch up

The list now has a new name called A02-2021 Cryptographic Failures, which does not appear in the previous list. This is actually the new name for A03-2017 Sensitive Data Exposure. The previous term was deemed as something more of a broad symptom and not a root cause. The new name sets a finer focus especially with the growing adoption of crypto assets and blockchain technology.

The increasing use of bitcoin and other cryptography-based digital assets is said to have reached the fourth stage of adoption, which is acceptance. With more users relying on cryptography, it makes complete sense to pay more attention to cryptographic failures and how to address them.

The Rise of Insecure Design

Another important detail to point out is the debut of the new category officially named A04:2021 – Insecure Design. It is listed fourth just above the Security Misconfiguration category. “If we genuinely want to ‘move left’ as an industry, we need more threat modeling, secure design patterns and principles, and reference architectures. An insecure design cannot be fixed by a perfect implementation as by definition, needed security controls were never created to defend against specific attacks,” writes the note on the updated list.

This is an important update given how many organizations maintain the unwanted habit of releasing software without ascertaining its security. A study released last year shows that almost 5 in every 10 organizations knowingly push vulnerable software. Even without conducting or not finishing a full security validation process, they proceed to making apps or software available to end users because of strict deadlines and the belated discovery of the vulnerabilities.

Failure to patch vulnerable and outdated components

Another leaper in the new OWASP list is Vulnerable and Outdated Components. From ninth, it now takes the sixth spot. This is disappointing given how easy it is now to update software with the significantly faster internet connections. Many organizations continue to struggle with this cyber threat because of bad or nonexistent software maintenance policies.

However, it is also interesting to see this development given how many organizations are already shifting to cloud solutions. Many already use web-based applications, which inherently do not require maintenance and updating since the service provider is supposedly responsible for these. It could possibly mean that OWASP sees problems in the way cloud solution or web app providers deal with their vulnerable software and outdated components.

They may not always be in tune with the latest cyber threats, so it is important for organizations to also do security testing on their own and keep up to date with the most recent threat intelligence to reduce their likelihood of suffering from the serious consequences of cyber attacks.

Impact of standardized frameworks for threat identification

The update also includes a new category called A07:2021 – Identification and Authentication Failures. As the name suggests, it is seventh on the list. This is actually not an entirely new category as it is essentially a renaming of A02:2017 – Broken Authentication, which was previously second on the list. This new category is said to now include additional CWEs that pertain to threat identification issues.

This “downgrading” shows that the use of guidelines or frameworks for threat identification and mitigation is working. “This category is still an integral part of the Top 10, but the increased availability of standardized frameworks seems to be helping,” the updated OWASP Top 10 note writes.

The potent threat of SSRF

Tenth on the list is an entirely new category called A10:2021 – Server-Side Request Forgery (SSRF). It is not that serious of a concern yet because of the relatively low incidence rate and a testing coverage that is just above average. The researchers also regard its exploit and impact potential as above average. However, it makes it to the list because of the serious risks it poses.

“This category represents the scenario where the security community members are telling us this is important, even though it’s not illustrated in the data at this time,” the OWASP team writes. This new category also emerges as it is number one on the Top 10 community survey conducted by OWASP.

Changing cyber threat landscape

Change is indubitably constant and this reality is demonstrated in the threats affecting cyberspace. The changes are not necessarily an aggravation of existing cyber attack tactics and techniques. There are cases when certain threats are downgraded because of the introduction of successful interventions. However, taking the place of these lower-severity threats are new problems organizations need to pay more attention to and consider implementing new controls to ensure effective identification, mitigation, and prevention.