OWASP Top 10 - 2021

OWASP Top 10 - 2021

This post is as much as an internal sit-rep as it is one for others to witness, share and challenge, I'm trying to understand the Top10's value eleven years on, the current top10 (2021) is in draft and open for comment, I've put my comments here, as well as the opening to this conversation on github

This post is as much as an internal sit-rep as it is one for others to witness, share and challenge, I'm trying to understand the Top10's value eleven years on, the current top10 (2021) is in draft and open for comment, I've put my comments here, as well as the opening to this conversation on github

Looking over the list I can see a few different maturities in play that are a natural progression on those that have taken the time to be a part of OWASP - something I've failed to do, other than being a bit of a backseat driver.

If we abandon technical attack visibility as a Top10 capture (and we have, aside from SSRF in 2021) we are left with a set of broad architectural principles, and I'm okay with that if that's the direction of travel, but there needs to be a conversation about that and the language we use, why we use it and guide rails so readers are on the same page, it would be great if MITRE and OWASP could find a means to both support one schema to rule them all (evil laugh ?).

I can see why the Top10 is morphing into security architecture but I feel it is a bit of scope creep on the Top10, here's why...

Let's pull bug classes into the 'Cause' category and the 'Effect' is an outcome, we could agree that XSS allowed an attacker to steal the user's data, or SQL Injection bug was exploited allowing an attacker to steal a copy database, that's how I see cause and effect, Cause (bug class) effect (unwanted outcome)  - If you wanted to be super pedantic you might argue the parser or the code, or the compiler or the CPU is the root of it all, if you're that person, pop round for a free 5-minute hug (no eye contact). - you're not wrong, but ... not now.

If you're on the same page as me re: cause and effect, you'll have a hard time with most of the issues presented in OWASP top10 (listing effects) aside from SSRF (a cause)

So, if we have moved away from causes... okay, but let's have that conversation. I'm a big fan of the ASVS project it's free and you are not the product, the amount of time you spend wondering if you should read it, you could have read it, so ... go read it, make people read it. align to it, embed it, print it out and kiss it.

The reason I mention the ASVS project is that if the Top10 has shifted left into architectural principles, then it really needs to be 'ASVS-Lite'  it's a perfect opportunity for the top10 to have a coming of age party, to move away from listing the technical causes, to the preventative practices that promote good architecture and more resilient apps, they've pretty much done that in 2021 but there hasn't been much of a conversation on how it's matured and what we should expect, so if you have an ASVS-Lite (top10) and the ASVS ... you really want people on ASVS.

The best thing that the Top10 has going for it aside from its author's commitment to improving Appsec globally is its reputation, many non-technical leaders still expect their stuff to be 'top10 proof' many of us have had requests to 'test for OWASP top10' style security assessments, actually they need to be tested against the OWASP Testing Guide! another great project, but that's usually a little too late from a security architecture perspective.

If I had my way, ASVS would be the champion, Testing guide for security assurance testing and validation, and the Top10 to focus on readiness rather than a measurement of failures.

If the top10 was to persist as a list i'd want it to be something like this:

A) Issue > effect > technical defence > policy control

If it wanted to be more left something like this:

B) technical defence > policy control || Issue > effect

The A) Above would be an ideal Top10 for the 'old spirit' of the top10, I think, but I don't get that from the OWASP Top10's of recent, it's a blend of a few things, but it's clear rounding up has become more of a theme, B) from above would be a good change of direction.

We don't get that, taking in mind how I feel about cause and effect, then think about the logical journey for each item to start and finish with a considered set of phases, (A and B in the paragraph above) it's harder to make sense of the Top10 list.

Have a look...

Top10 over the decade+

2010 2013 2017 2021
A1) Injection A1) Injection A1) Injection A1) Broken Access Control
A2) Cross-Site Scripting A2) Broken Authentication and Session Management A2) Broken Authentication A2) Cryptographic Failures
A3) Broken Authentication and Session Management A3) Cross-Site Scripting A3) Sensitive Data Exposure A3) Injection
A4) Insecure Direct Object References A4) Insecure Direct Object References A4) XML External Entities A4) Insecure Design
A5) Cross-Site Request Forgery A5) Security Misconfiguration A5) Broken Access Control A5) Security Misconfiguration
A6) Security Misconfiguration A6) Sensitive Data Exposure A6) Security Misconfiguration A6) Vulnerable and Outdated Components
A7) Insecure Cryptographic Storage A7) Missing Function Level Access Control A7) Cross-Site Scripting A7) Identification and Authentication Failures
A8) Failure to Restrict URL Access A8) Cross-Site Request Forgery (CSRF) A8) Insecure Deserialization A8) Software and Data Integrity Failures
A9) Insufficient Transport Layer Protection A9) Using Components with Known Vulnerabilities A9) Using Components With Known Vulnerabilities A9) Security Logging and Monitoring Failures
A10) Unvalidated Redirects and Forwards A10) Unvalidated Redirects and Forwards A10) Insufficient Logging and Monitoring A10) Server-Side Request Forgery

If we could pull the authors of 2018 OWASP Proactive controls and Top10 together and let that output act as a gateway to ASVS  under the banner of the top10 there is an opportunity to use the Top10's fantastic reputation to shine a light on the right way to security architect or mature your SSDLC by way of  ASVS and it would be the best gift for all.

The OWASP Top 10 2021 is now out of draft, the github issue highlighting my concerns has had no response until a night before it's publication citing appreciation for the feedback and issue closed. here