Micro Focus is now part of OpenText. Learn more >

You are here

You are here

No tool will fix your OWASP Top 10 risks

Martin Knobloch Global AppSec Strategist, CyberRes

When the Open Web Application Security Project (OWASP) comes out with an updated list of the top risks, many people talk about the collection of issues as if they were vulnerabilities to be fixed. While the OWASP Top 10 Web Application Security Risks for 2021 include classes based on vulnerabilities—such as injection (No. 3 on the list) and server-side request forgery (No. 10)—the list also includes broad classes of issues such as software and data integrity (No. 7) and process failures such as insecure design (No. 4).

Companies want to prioritize their vulnerabilities, but the Top 10 document should be considered a prompt for discussing how business and security groups should tackle cybersecurity, rather than attempting to use it as a blueprint for an application security program. The list is a way to highlight the most common risks that developers and businesses face when creating and deploying web applications.

One of the difficulties of using the OWASP Top 10 as a standard is that it documents application security risks, and not necessarily issues that are easily tested. For example, insecure design is beyond the scope of most forms of testing.

In the words of OWASP: "The OWASP Top Ten is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications."

Yet that raises the question of how businesses should use the document. Here are three ways that companies should look to improve their approach to security as informed by the OWASP Top 10.

1. Support a culture of security, rather than seeking a tool

Businesses should look to change their culture rather than try to buy their way to security with tools. What your company considers to be a secure system today may be proved insecure tomorrow. So companies should treat security issues not as a problem to be solved once, but as one that requires continuous fixing, monitoring, and improvements. They need to become resilient operations that always consider security.

Vendors love to boast that their tool or service can detect or prevent vulnerabilities on the OWASP Top 10 list and mitigate the risk of those issues. For them, the OWASP Top 10 list has become a marketing tool or a standard that requires compliance. However, most of the issues highlighted by the top 10 list are broad risks rather than specific classes of vulnerabilities, and a single tool cannot mitigate risk, let alone detect what's causing most of these vulnerabilities. 

So, rather than seek out a specific tool or service to solve the problems highlighted by the OWASP Top 10 list of web application security risks, companies should be training employees in techniques designed to make developers, application security professionals, and business leaders aware of the risks. Creating a business culture that is risk-aware and considers security as part of every decision will drive down risk.

2. Security needs to shift left, but right as well

Application-security teams should also look for operational approaches to push the security considerations in the OWASP Top 10 not only leftward—toward design and development—but also rightward, into business, operations, and engineering groups. This puts security for a given application pipeline into the hands of those most expert in that particular stage.

Only businesses can determine what their risk will be, while developers are best suited to handle vulnerabilities in the code and operations teams can help by baking secure processes into the infrastructure.

Integrating security into the development and deployment lifecycle with an approach such as DevSecOps can also help make every team member consider the security risks inherent in the application. The result will be less work, since security is handled earlier in the pipeline, but also more visibility, since security is also integrated into the infrastructure.

3. Future risks can't be addressed until you've addressed past risks

The Top 10 list is based on data from more than 500,000 applications submitted by almost a dozen different security firms based on human-assisted tooling, tool-assisted human testing, and raw tooling. These terms describe the degree to which human analysts have a role in the testing process. Penetration testing is generally considered a tool-assisted human process, while human-assisted tooling includes static analysis security testing (SAST) tools, where a human analyst or developer will determine whether issues are legitimate.

The incidence rate of these issues forms the base of the Top 10 list and take up eight of the Top 10 slots.

The other two slots on the Top 10 list are selected based on surveys of the most significant application issues that developers and application-security experts believe will be issues in the future.

Thus, the Top 10 list is not a complete picture of all application risks. Just as investors talk about past performance not being indicative of future results, past risks are not always a business's future risks.

However, there are reasons that most of the risks on the Top 10 list remain the same, or similar, from release to release. Attackers tend to use attack vectors they already know, so most attacks will attempt to take advantage of the most common weaknesses and risks outlined in the OWASP Top 10.

In short, worry about the threats that you do know about, such as the OWASP Top 10, and not about future threats for which you cannot specifically prepare. In the end, if you have the programs in place to handle the most common threats, then you are likely to catch future threats as well.

Use the Top 10 document wisely

Overall, the OWASP Top 10 Web Application Security Risks report is a key document for increasing awareness of the latest issues. Paired with an application security program that aims to improve software quality and reduce vulnerabilities in a measurable way, such as the OWASP Software Assurance Maturity Model (SAMM), companies can prepare for the most common threats used today, and the most likely future attacks as well.

Keep learning

Read more articles about: SecurityApplication Security