What changed with the 2017 OWASP Top 10?
3 Emerging IT Security Risks
With the rise of the digital age, computers have become responsible for more critical actions than ever before, and infiltration by malicious individuals has become far more than a mere inconvenience. As a result, IT security has also developed into a major industry. Software developers including operating system developers regularly release patches and related bulletins, and objective third parties such as OWASP also regularly discuss and release bulletins of relevance to IT security.
Today, we are going to look at some of the latest threats as put forth by OWASP.
OWASP's Top 10 for 2017
OWASP, or the Open Web Application Security Project, is a worldwide non-profit organization dedicated to software security. As a public service, OWASP maintains a list of known security vulnerabilities as reported by users and revealed by substantial security tests. Participants in this project include global IT professionals who regularly report their experiences, including vulnerabilities and approaches which have worked for them. OWASP also works closely with businesses and governments around the world to discreetly and objectively assess security vulnerabilities and work toward solutions for the benefit of the world as a whole.
Given its broad background and membership, OWASP's Top Ten list of security vulnerabilities represents a global perspective on the growing security threat. As with most security bulletins, this list provides IT professionals with critical insight into the current state of affairs. The last time OWASP published a top ten list was in 2013; the 2017 list adds a few more threats to the previous 2013 list, while edging a few others aside in order to make room.
Here are the three new threats OWASP has added to the list for 2017.
1. XML External Entities
Coming in at number four, XML is an aspect of internal security which is notoriously easy to overlook. Unfortunately, these very simple, easy-to-modify files often provide highly secure instructions to critical hardware. If someone without proper credentials gets into these files they can quickly use that access to compromise a server. Older XML versions allow users to validate external entities within XML files. This reflects a time when hardware and security would exist strictly onsite, secure from outside interference. Solution: XML processors should be patched or upgraded, especially when allowing XML files to be uploaded from untrusted sources.
2. Insecure Deserialization
At number eight on the revised list, insecure deserialization is a tricky exploit to use, but once used, it can be catastrophic to your system, since it allows hackers to run their own code on your hardware. This exploit takes advantage of the fact that some applications allow their code to be serialized, or put into a more compact form. Deserializing the code then makes it usable again. Savvy hackers can use this process to create programs which look legit on the surface but perform nasty work when deserialized. Solution: Users should not deserialize code from untrusted sources. If code from an untrusted source must be deserialized, elaborate safety checks should be put in place to isolate the code and monitor each step of the process.
3. Insufficient Logging and Monitoring
It’s one of IT security's most well-known secrets that most commercial-grade software has some form of server and client-side monitoring built in. Because logging and monitoring does require some overhead, far too many enterprise servers neglect this aspect of security. In many cases, logs may be held on individual machines without sufficient reporting or monitoring in a central server. Even if logging mechanisms are in place, filters may not sufficiently distinguish between the mundane and something truly alarming. Solution: Logging solutions should be in place and robust, and should include well-filtered alerts to appropriate individuals in the event that suspicious activity is found. This system should be set up with the help of a trusted professional aware of all the latest known vulnerabilities and able to provide an objective needs assessment.
Our take on it
In addition to these three new or elevated risks, the remaining seven items on the list continue to represent threats which certainly merit attention. For example, risk 5, Broken Access Control, merges two risks from the previous list: Insecure Direct Object References and Missing Function Level Access Control. Broken Access Control refers to users gaining access to files they shouldn't be allowed to view or modify. The merge of these two items highlights the ongoing growth of the top ten list.
Two items, Cross-Site Request Forgery and Unvalidated Redirects and Forwards, were removed from the list because they affect less than 10% of applications. However, even a few percent of applications still amounts to a noteworthy impact, if not enough to merit a top ten spot.
Injection and Broken Authentication remain at the top of the list, with the third greatest present-day concern, just ahead of XML External Entities: Sensitive Data Exposure. This risk has moved up from sixth place in large part due to increasing exposure of sensitive data, such as customer financial information, to third parties who should not be able to access that data.
The OWASP Top Ten List continues to provide IT professionals with a global perspective on security concerns of interest to the IT community as a whole. Schedule a consultation with our team to learn more! Our compliance experts can provide industry insights and technological solutions that can keep your business safe.