OWASP updates its Top 10 web application security risks to include 3 new categories. Consider fixing these application issues

In its latest update, the Open Web Application Security Project (OWASP) announced the inclusion of three new categories to its list of top security risks that could put all kinds of web applications at critical risk. In this way, the non-profit project seeks to strengthen the security measures of web administrators.

Below we will review the changes implemented by OWASP, which will allow developers to apply the most advanced protections for their systems and projects.

Insecure design

This represents a bold move by OWASP and its members, who have traditionally focused more on earlier stages of application development. OWASP suggests that considerable improvements in security require a greater focus on the planning and design phases, especially considering that design errors cannot be addressed with software updates.

The researchers believe that improvements in the design process would positively impact other categories of the Top 10 OWASP, considerably reducing the occurrence of specific security issues.

Software and data integrity failures

This category is directly related to insecure design and involves any problems related to the use of code and infrastructure unable to adequately protect information and operating software. The use of unverified or insecure plugins, libraries or modules (Log4j, for example), are considered software and data integrity flaws.

OWASP recommends that developers verify that all software used has a verification signature, thus ensuring that they are secure tools that will not create problems in the long run.

Server-Side Request Forgery (SSRF)

While this is not a novel attack vector, researchers still consider these to be critical and concerning issues for developers. The most recent OWASP survey has revealed that this is the top security fear for modern web application developers.

To mitigate SSRF attacks, OWASP recommends minimizing the type, scope, and number of requests an application can make, although this is only a start and additional network-level security measures are required, including:

  • Use firewall to restrict host connections
  • Use of communications whitelist
  • Cross-host authentication
  • Record of all flows for monitoring

On the other hand, at the application level, measures such as:

  • Define and enforce strict URL communication protocols for all applications
  • Disable HTTP redirection to prevent whitelist evasion
  • Disinfection and validation of all client-side input data

A more comprehensive report is available on OWASP’s official platforms.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.