OWAST Top 10 vulnerabilities and how to approach them
Heloisa Moraes
Posted on September 8, 2022
Shipping reliable and secure applications is vital for today’s organizations. Adopting security recommendation frameworks helps structure and systematize how you build software. OWASP Top 10 is one of those frameworks, being a widely adopted standard for software security.
Using the right tools also helps secure your code. For example, static analysis tools provide adaptive, real-time protection against web applications' most sophisticated threats.
So keep reading to learn about OWASP Top 10 and how a tool like Codacy can help.
What is OWASP?
The Open Web Application Security Project (OWASP) is a nonprofit foundation dedicated to improving software security. It operates under an open community ideal where anyone can contribute to projects, events, online discussions, and other activities.
This community works to create freely-available resources, including articles, videos, forums, events, documentation, methodologies, tools, and technologies. OWASP is not affiliated with any technology organization so they can provide high-quality information without bias.
What is OWASP Top 10?
The OWASP Top 10 list is a recommendation framework maintained by OWASP since 2003. Security experts worldwide achieve a consensus to create the list, which is periodically updated to adjust to changes in application security.
The vulnerabilities are classified based on the frequency of security defects, their severity, and the extent of their potential impact. The list's purpose is to provide actionable recommendations and serve as a security checklist that helps your organization write more secure code.
OWASP Top 10 vulnerabilities
Let’s dive deeper into the Top 10 vulnerabilities of the latest 2021 report (we covered the 2017 report in a previous article).
A01 Broken Access Control
Description: Broken access control happens when a user can gain privileged access due to a faulty access control system. For example, an attacker can gain access to user accounts or behave as a different user, or regular users can access privileged functions.
Solution: The best way to model an access control system is to deny everything by default, except for public resources, and only give access if needed. An Interactive Application Security Testing (IAST) tool can also help you detect cross-site request forgery or insecure storage of sensitive data. Finally, penetration testing can supplement IAST, helping catch unintended access controls.
A02 Cryptographic Failures
Description: Cryptographic failures happen when a lack of cryptography causes sensitive data to be compromised. Sensitive data include passwords, credit card numbers, or medical records. Thus, you must ensure data is always encrypted, and you’re not using weak or outdated cryptographic algorithms.
Solution: Store passwords using adaptive and salted hashing functions to ensure that users' passwords are not compromised even if there’s a database breach. You can also implement a secrets management system to store and rotate credentials. In addition, SAST tools can provide snapshots at the code and component level, but supplementing with IAST is crucial for continuous monitoring.
A03 Injection
Description: Injection happens when an attacker sends invalid data into an application to make it do something it was not supposed to do. SQL injection is a dominant flaw caused by using unsanitized user data to build dynamic database queries. Cross-site scripting is another common risk.
Solution: To prevent injections, keep data separate from queries. Use Object Relational Mapping, but remember that performance degradation might be a trade-off. Don’t trust any user input and validate it every time. Finally, including SAST and IAST tools in your CI/CD pipeline helps identify injection flaws.
A04 Insecure Design
Description: Insecure design happens when there are design and architectural flaws. Some applications don’t have security considerations in the first place, while others have implementation problems that can lead to exploitable security flaws.
Solution: You should consider security principles from the beginning of the design process of your application. Assuming malicious intent from the start can help prevent many issues that would be hard to fix when the application is shipped. Plus, IAST tools can further help detect vulnerabilities.
A05 Security Misconfiguration
Description: Security misconfiguration happens when you do not configure your application correctly, leaving security weaknesses. Misconfigurations can include having a default account with the original password, enabling unnecessary features, or error handling showing stack traces to users.
Solution: You can mitigate misconfigurations by investing in a repeatable process across the application stack. Removing unnecessary components and dependencies reduces the area for an attack. In addition, SAST tools can identify the information exposure available through an error message. Finally, IAST tools can detect information disclosure and inappropriate HTTP header configurations.
A06 Vulnerable and Outdated Components
Description: Vulnerable and outdated components happen when you build applications using obsolete components or third-party software. You should first learn about any application's core components, versions, and last update. Components usually run with the same privileges as the application, so any component's flaws can profoundly impact your security.
Solution: To mitigate this risk, periodically remove unused third-party dependencies and create an upgrade plan for valuable dependencies. You can use software composition analysis (SCA) tools alongside SAST and IAST to identify and detect outdated and insecure components. Additionally, a culture where developers triage third-party dependencies regularly can also help.
A07 Identification and Authentication Failures
Description: Identification and authentication failures happen when you don’t correctly implement your application’s authentication or session management. Attackers can compromise passwords, keywords, and sessions, allowing them to access any account, steal user identity, and control the system completely. So, validating user identities and setting up secure session management is vital.
Solution: Automatically check passwords against a list of common passwords before allowing users to set them. Implementing multi-factor authentication can prevent attacks. Plus, SAST is instrumental in identifying broken authentication vulnerabilities. IAST tools can also detect hardcoded passwords and improper authentication.
A08 Software and Data Integrity Failures
Description: Software and data integrity failures happen when you make assumptions about software updates and critical data without verifying integrity. For example, if your application relies on third-party packages you downloaded from untrusted sources, you become vulnerable to malicious code injection.
Solution: Always use signature verification when installing third-party dependencies and only use trusted sources. All new packages added to a project must go through a mandatory manual code review process. Plus, SAST and IAST tools check for unsafe deserialization and help detect insecure redirects or tampering with token access algorithms.
A09 Security Logging and Monitoring Failures
Description: Security logging and monitoring failures happen when the application fails to detect and respond to security threats. The lack of logs or alerting mechanisms in case of an anomaly makes the system vulnerable to attackers, who quietly compromise the system without anyone noticing.
Solution: Logs are the primary source of information when something goes wrong. So you should frequently perform logging and monitoring activities to help you detect breaches and take corrective action on time. In addition, some SAST and IAST tools can help identify unlogged security exceptions.
A10 Server-side Request Forgery (SSRF)
Description: Server-side request forgery happens when a web application fetches a remote resource without validating the user-supplied URL. An attacker can make the application send a request to an unexpected destination. Even if you protect your system with a firewall, VPN, or network access control, SSRF can happen.
Solution: A good rule for firewall policies and network access controls is to deny by default. In the application layer, all user input should be sanitized and validated. IAST tools can track, monitor, and detect SSRF without additional scanning and triaging.
Static code analysis for security: how can Codacy help
Codacy is an automated code review tool that includes SAST to find security problems in your source code. It analyzes your entire codebase to check for any potential security vulnerabilities.
Codacy uses an early feedback system that alerts you as soon as it finds potential security risks in the code. As such, it helps your team write high-quality code that isn’t susceptible to security risks. In addition, Codacy integrates directly with your workflow, helping you save time reviewing code yourself.
To help you verify the current security levels of your code, Codacy also features a security monitor, which will outline the security status of each of your repositories and warns you if you have any security code patterns turned off.
The security monitor will also alert you as soon as it identifies any potential problem, which should take a load off your mind when developing future projects. Check out our documentation if you have any questions.
While Codacy is in no way a comprehensive security system on its own, its usage can bring you and your team valuable guidance. A tool like Codacy will save you time by automatically analyzing vulnerabilities within your codebase and providing insights and an overview of all current security alerts.
At Codacy, we understand that it’s crucial to have high-security standards, and that’s why we follow security best practices such as the OWASP Top 10 and SANS Top 25.
Conclusion
The OWASP Top 10 list provides an excellent actionable framework to ensure your applications are safe against common security threats.
Implementing a static analysis tool like Codacy helps automate the detection of specific vulnerabilities for each threat while you are still writing and reviewing the code. Plus, enabling developers to ensure source code security early on helps you embrace the core principles of DevSecOps and shift left.
Posted on September 8, 2022
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.