The Open Web App Security Project released its top ten list of vulnerabilities in web software as part of the general movement to make software less painful at the design stage.
New entries in the top 10 errors highlighted by the project include “unsafe design”, which relates to specific design errors, and “software and data integrity errors”. The latter refers to “making assumptions about software updates, critical data, and CI / CD pipelines without verifying integrity”.
The publication is a draft for public comment and peer review, with a final version expected later this year.
The current number one vulnerability in web apps this year is Broken Access Control, with OWASP grumpy commenting, “The 34 CWEs * assigned to Broken Access Control had more application occurrences than any other category.”
Nonspecific examples One of the OWASP cited is the failure to validate user credentials for browser-based access to admin pages.
There were also cryptographic errors highlighted from OWASP, which is number two on the list this year. Previously known as “Sensitive Information Disclosure”, the organization noted that the old description was “a broad symptom rather than a root cause”.
Although the new name of this category conjures up images of script kiddies cracking RSA-4096 encryption with the click of a finger, the mundane truth is that it encompasses everything from hard-coded passwords to insufficient entropy in passwords to “broken or risky cryptos” covers algorithms. “Specific examples of bad practices that fall under” cryptographic failure “include storing passwords without hashing or salting, or not enforcing TLS on login-protected websites.
Third came code injection and cross-site scripting, with other common weaknesses including security misconfigurations, outdated libraries, and monitoring server and logging errors.
OWASP builds the top ten list each year by looking at industry data on vulnerabilities in web-based software and combining that with an industry survey that asked frontline workers what bugs they saw over the past year and that deserve a broader exposure.
The organization stated:
In 2018, the then OWASP chairman Martin Knobloch said El Reg that the top ten list was both a blessing and a curse, saying, “A guide to validation is not a guide to building security.” ®
* CWE: List of general weaknesses. See also CVE, Common Vulnerability Enumeration. A vendor-neutral method for tracking errors through the use of a unique reference number.