INTRODUCTION
Opportunities for attackers have exploded in today’s digital economy, which relies on modern apps and architectures, multi-cloud deployments, and third-party integrations, including software supply chains and CI/CD pipelines. The OWASP Top 10 for 2021 addresses a new wave of risks as must-read guidance for improving security in application design and implementation.
The OWASP Top 10, first released in 2003, represents a broad consensus on the most critical security risks to web applications. For 20 years, the top risks remained largely unchanged—but the 2021 update makes significant changes that address application risks in three thematic areas:
Recategorization of risk to align symptoms to root causes
New risk categories encompassing modern application architectures and development
Vulnerability exploits as well as business logic abuse
What is the #1 cause of breaches?
Access attacks
“Access attacks, that is, attacks against user-facing authentication surfaces, were the single most frequent cause of breaches.”1
— 2022 Application Protection Report: In Expectation of Exfiltration
What's New for 2021
Here are the key factors that influenced the OWASP Top 10 update:
2017
Focus on traditional web applications
Small data set (prescribed subset of 30 CWEs)
Variety of risk factors, technical/business impacts
Injection as the top risk for over 20 years
2021
Shift to modern architectures
Data-driven process with 400 CWEs
Recategorized around symptoms and root causes
A new wave of risk: insecure design and implementation
THEME #1
Symptoms Aligned to Root Causes
What's Changed?
The OWASP Top 10 risks map to common weakness enumerations (CWEs), which often become vulnerability exploits. But previous OWASP data collection focused on a prescribed set of 30 CWEs, and previous lists made no significant distinction between CWEs that represented root causes and more symptomatic weaknesses with a variety of potential causes. The 2021 list reflects 400 CWEs and thus enabled broader analysis.
2017: Symptom
A3:2017
Sensitive Data Exposure
A7:2017
Cross-Site Scripting (XSS)
A4:2017
XML External Entities (XXE)
A9:2017
Using Components with Known Vulnerabilities
A8:2017
Insecure Deserialization
A10:2017
Insufficient Logging & Monitoring
2021: Root Cause
A02:2021
Cryptographic Failures
A03:2021
Injection
A05:2021
Security Misconfiguration
A06:2021
Vulnerable and Outdated Components
A08:2021
Software and Data Integrity Failures
A09:2021
Security Logging and Monitoring Failures
Why Does it Matter?
The 2021 list better aligns symptoms to underlying root causes to help security teams focus on reducing risks at their source.
What is the #1 cause of cloud breaches?
Security misconfiguration
“What we want you to do is actually think about those root causes and what you can do about them, rather than trying to put band-aids over the symptoms.”2
—Andrew van der Stock, Executive Director, OWASP Foundation
THEME #2
New Risk Categories
What's Changed?
Three new risk categories emphasize the need to address security from the start of application design and to make security part of the software lifecycle.
A04: 2021
Insecure Design
A08: 2021
Software and Data Integrity Failures
A10: 2021
Server-Side Request Forgery
Why Does it Matter?
The recent publication of the log4j2 vulnerability spotlights the significance of open-source software exploits. Weaknesses within the log4j2 logging utility map to two OWASP Top 10 risk categories, and a CVE with real-world exploits make it a trifecta—injection, software, and data integrity failures, and vulnerable and outdated components.
Figure 1: The Log4Shell exploit in the open-source Apache Log4j2 logging utility is an example of at attack that spans multiple risk categories. It allows the execution of arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
“A secure design can still have implementation defects leading to vulnerabilities that may be exploited.”
—OWASP Top 10 for 2021
THEME #3
Protection for Modern Apps and Architectures
What's Changed?
Application architectures have evolved, with cloud deployments, containerization, mobile apps, and a proliferation of APIs and third-party integrations. Login pages, shopping carts, and other business logic aren’t defects, but they’re inherently vulnerable to abuse. The OWASP Top 10 for 2021 offers guidance for proactive and preemptive security in this new world order.
Figure 2: Yesterday’s best practices aren’t enough for today’s distributed modern applications and architectures.
Why Does it Matter?
Security must be integrated throughout the application development process, including secure CI/CD pipelines, component inventories, threat modeling, and sound risk management. The latest OWASP Top 10 offers a resource for security and AppDev/DevOps professionals working to shift security further left into fundamental design principles.
1 F5 2022 Application Protection Report.
2 Van der Stock, Andrew, OWASP Top 10, YouTube. Oct. 8, 2021.
REPORT
F5 Labs 2022 Application Protection Report
Understand how threats have evolved in the past year and how security defenses can be tuned to defeat the latest attacks.
EBOOK
The 2021 OWASP Top 10: The New Wave of Risk
Learn how to use the OWASP Top 10 as a foundation for more secure development and better application security.
WEBINAR
The OWASP Top 10 2021: The New Risk Order
See what’s changed in the OWASP Top 10 and how solutions like F5 Distributed Cloud WAAP mitigates those risks.
Solution Simulator
F5 Distributed Cloud Web App and API Protection (WAAP)
Explore an interactive demo of holistic as-a-Service protection for applications—wherever they run.
VIDEO
2021 OWASP Top 10 Lightboard Lesson Video Series
Get a detailed breakdown of the new OWASP Top 10 web application security risks.