The OWASP Top 10 2021 is out, and it brings a lot of changes. Some of these are obvious just by looking at the elements, but others show a further shift in focus for the Top 10 itself. The list has been undergoing a gradual reform that started in 2017 when they’ve set in stone the methodology and opened towards DevOps. Let’s see how this evolution continues in 2021.
The Top 10 – published by the Open Web Application Security Project community every three, occasionally four years – is probably the single best-recognized document in the world when it comes to software security. It distills the current state of web application security into an easily-digestible list of 10 issues that are useful to web application developers as well as security experts. For more insight on these topics, check out our articles on the OWASP Top 10 in general as well as the Open Web Application Security Project as a whole.
But of course, a top 10 list can never be complete. As newer versions of the Top 10 are released, they show a continuing tug-of-war between two different mindsets: should the Top 10 be ‘just’ a list of 10 concrete software vulnerabilities, or should it be a broad, all-encompassing list of security problems or threats?
Let’s take a look at the latest changes and what they mean for the future.
OWASP published the new OWASP Top 10 2021 on the 24th of September 2021. They modernized the presentation compared to the 2017 edition. Instead of a PDF, it is now a single web page with sub-pages for each entry; this also potentially makes it a living document, though we don’t expect the actual entries to change substantially. Let’s look at the new Top 10 through the mapping image from the document:
The OWASP Top 10 2021 has undergone some massive changes. Only 5 of the 10 categories from the 2017 Top 10 have survived, the other 5 are either new (like SSRF and Insecure Design), or a recombination of earlier Top 10 categories (such as Injection now encompassing Cross-Site Scripting as well). Let’s look at each entry in detail!
Since many of these categories are rather broad, some vulnerabilities can potentially belong to multiple of them. For instance, we could argue that SSRF was implicitly in the list already – since it’s a subclass of the ‘Confused Deputy’ weakness, which itself is a failure of access control. Similarly, Cross-Site Request Forgery (CSRF) and its more modern counterparts such as clickjacking can be considered either ‘confused deputy’ problems (and thus now belonging to A01), or session handling issues (and thus belonging to A07). For another example, OWASP Dependency Check is mentioned both in A06:2021 in the context of dealing with vulnerabilities in third-party components, and in A08:2021 in the context of protecting the software supply chain; which is of course OK.
At first, the new Top 10 may look daunting to those of us who were familiar with the 2017 iteration. Many familiar entries are gone or have been replaced with entries that sound more generic. But underneath it all, the old vulnerabilities are still there… you may have to dig for them.
One major change with the list is a stronger connection to the Common Weakness Enumeration (CWE) database. Most of the categories now refer to multiple weaknesses (the only exceptions are A06 and A10). In fact, after removing the two self-referential CWE entries (namely, two CWEs in A06: CWE-937 OWASP Top 10 2013: Using Components with Known Vulnerabilities and CWE-1035 2017 Top 10 A9: Using Components with Known Vulnerabilities), we can see that the OWASP Top 10 2021 actually covers 193 distinct weaknesses.
Of course, CWE granularity is not uniform: a category can contain both broad CWE entries like CWE-2 Environment, as well as highly technology-specific ones such as CWE-1174 ASP.NET Misconfiguration: Improper Model Validation. Similarly, the number of CWEs is not necessarily proportional with severity. For instance, A01 contains three CWEs that all cover various aspects of path traversal (a comparatively small part of the category), while A06 – after removing the aforementioned self-references – contains only one CWE (CWE-1104 Use of Unmaintained Third Party Components) –that single entry however represents a very significant part of the system’s attack surface. All this still gives us a good sense of scope, and an important realization: each Top 10 tries to include more and more weaknesses and threats than those in the previous iterations.
What this means is that when we talk about the OWASP Top 10 2021, we are talking about 193 issues, not just 10. Of course, earlier Top 10s contained CWE references as well, but the scale is very different this time. In 2017, there was a total of 24 CWEs referenced in the top 10 – compared to that, 193 is a huge increase!
The wording of the new Top 10 helps clarify this shift in focus as well. While the Top 10’s full title is Top 10 Web Application Security Risks, this is the first iteration where the items on the Top 10 are explicitly called ‘categories’ instead of ‘entries’, ‘risks’, ‘issues’, or even ‘vulnerabilities’. There are only two clear exceptions: Injection (a longtime mainstay of the Top 10) and the new Server-Side Request Forgery or SSRF – which is a specific vulnerability that was chosen based on the community survey.
The new approach has understandably generated some apprehension from security experts. They claim that the new categories are much less specific and are generally moving towards broad concepts instead of concrete problems with code. This is generally harder to translate into direct instructions for developers. Daniel Miessler, an OWASP member and leader of the Top 10 IoT project, has noted in an analysis of the new Top 10 that the list doesn’t have a clear identity – many of the entries are broad categories, but individual vulnerabilities like SSRF are still being represented as well.
Another good analysis from John Carroll aka @yosignals (posted in the Top 10 Github repository) highlights that the new Top 10 deals much more with consequences rather than root causes. While it actually does deal with root causes through the individual CWEs, most people who look at the Top 10 will not look as deep. Both analyses point out that Insecure Design, in particular, is hard to grasp – it is such a high-level issue that it arguably encompasses everything else on the Top 10.
OWASP Top 10 is gradually becoming a “list of everything”, which can limit its direct usefulness to developers. The previous iterations always drew developers’ attention to certain issues that were the most common problems at the time. This “feature” was on one hand beneficial, as it always indicated the low hanging fruit to deal with for a start. On the other hand, this also carried the risk of comprehending the list as a kind of compliance schema, which Top 10 has never been: for many developers it was unfortunately THE journey through software security, and not just the starting point. And that was bad.
In a similar way, the vagueness of some of the categories in OWASP Top 10 2021 can be challenging for the security industry as well. It is obviously much harder to write a tool (or design a security evaluation methodology) that can detect insecure design than one that can test for XXE or Cross-site scripting. As a consequence of this, we expect to see that the Top Ten will fade as the main drive for businesses, as it was for a decade or so.
But we at Cydrill believe that this new approach to the Top 10 is definitely beneficial from an education standpoint. The new comprehensive categories now provide a better coverage of many important aspects of secure software development that the earlier iterations of the Top 10 did not emphasize to the appropriate extent. Better than ever before, we can use the list as a backbone of a thorough secure coding curriculum and teach developers how not to code.
We have already aligned our Web application security-related courses to the OWASP Top 10 2021. Check them out in our catalog, and keep coding responsibly!