What's Changed in the OWASP Top 10 2021?
Since 2017, the OWASP Top 10 has been updated for the first time. The OWASP Top 10 lists what is perceived to be the most critical web application security risks. The list can be a great starting point for increasing your web application security.
Are you wondering what has changed? The list has been reshuffled or subsumed into overarching categories, and three new categories have been added. Read on to learn more about the changes!
Open Source Security for your Java Application
Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit.
Reshuffled or Subsumed Items
Most items have been replaced or subsumed. ‘Cross-site Scripting’ (XSS), previously at entry A07, is now part of the ‘Injection’ category. Injection has also dropped from the top security risk to third place.
The new top risk that has taken its place is ‘Broken Access Control,’ which has moved up from A05 to A01. According to OWASP, 94% of applications had broken access control.
‘Cryptographic Failures’ moves up one position and is wedged between the two as the second greatest security risk, which concerns cryptography failures leading to compromise or sensitive data exposure.
Another interesting change is connected to the category, ‘using components with known vulnerabilities.’ A previous OWASP top 10 entry at a09 has moved up three spots to entry a06 and has been renamed 'vulnerable and outdated components.' This risk is what software composition analysis (SCA) seeks to prevent early on in the software development lifecycle (SDLC) by identifying known vulnerable components that you are using in your application.
The Two Lists Compared
The highest listed new risk is ‘Insecure Design’ at spotfour- which is said to be a nod to the industry to shift left by using more “threat modeling, secure design patterns and principles, and reference architectures.” A move we applaud!
Also, ‘Server-Side Request Forgery’ (SSRF) and ‘Software Data Integrity Failures’ are new categories of the list. SSRF was added in accordance with the community and what we are experiencing but “it’s not illustrated in the data at this time” and takes the space of A10.
Since 2017, the OWASP Top 10 has been updated for the first time.