OWASP Top 10 vulnerabilities for 2021 were published including considerable changes

The Open Web Application Security Project (OWASP) is celebrating its second decade of life and a 24-hour webinar has been organized to commemorate the occasion, present various security topics. One of the topics of the most interest was the presentation of its Top 10 for the worst security threats for OWASP implementations in 2021.

During the presentation, OWASP Executive Director Andrew van der Stock noted that this year’s list includes significant changes to the way nonprofits classify web security threats, something that hadn’t happened since at least 2017.

As per van der Stock, during the most recent years injection attacks were considered the most important web security threat, representing a security risk for developers around the world; in the most recent list, the first place is occupied by the “Broken Access Control”, previously considered as a minor risk.

Another eye-catching change is in the “Cryptographic Failures” category, formerly known as “Sensitive Data Exposure,” which now ranks second on the list. OWASP mentions that the name change involves a clearer focus on encryption-related flaws, considering the previous name to be somewhat ambiguous.

Finally, cross-site scripting (XSS) attacks ceased to be a single category and were added to the “Injection Attacks” category. Below is the updated list of security risks in OWASP:

  • Broken Access Control
  • Cryptographic Failures
  • Injection Attacks
  • Insecure design
  • Incorrect Security Settings
  • Vulnerable and Obsolete Components
  • Identification and Authentication Failures
  • Data and Software Integrity Failures
  • Security Tracking and Logging Failures
  • Server Side Request Forgery (SSRF)

Multiple members of the cybersecurity community consider these to be pertinent changes, as one of the main characteristics of cybercrime is its ability to develop and adapt, so a classification of security threats could not remain immutable.

Other efforts of OWASP are focused on the dissemination of information, for which they have launched a version of the list in PDF format compatible with virtually any mobile device, in addition to other dissemination activities.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.