Broken access control the no. 1 security risk for Web applications

News / Broken access control the no. 1 security risk for Web applications

Broken access control the no. 1 security risk for Web applications

Broken access controls took the number one spot in the Open Web Application Security Project’s (OWASP) top ten list of Web application security risks in the draft version of their new list published this week.  

This represents a significant rise in this threat from the previous list published in 2017, in which Broken access control came in at number five. Cryptographic failures also rose in the list, coming in at number two in the 2021 variant compared with its position at number three in 2017.  

The risk of injection appears to have reduced, however, falling to number three this time in contrast to its no. 1 rank four years ago.  

The OWASP is a ‘non-profit foundation that works to improve the security of software.’ Their top ten list, updated every three or four years, is based upon data analysis, surveys and public comment.  

Insecure design is at number four in the top ten and makes its debut in the list alongside two other new categories (software and data integrity failures and server-side request forgery). Security misconfiguration made up the top five and the full list, including the changes from the previous iteration, can be seen below. 

The ranking on the list roughly corresponds with the frequency the issues are encountered by application security professionals. However, all ten of the threats should aim to be eliminated, and companies should ensure they put particular focus on the requirements defined by themselves individually.  

"The only way to reduce application security risk is by making security an integral part of every phase of software development, from design through to implementation, testing, release, and maintenance," said Jonathan Knudsen, senior security strategist at Synopsys Software Integrity Group. 

"Eliminating flaws from the OWASP Top 10 categories is a reasonable baseline goal, but for the most effective risk reduction, you should define and execute your own application security policies based on your specific applications and organizational goals." 

The data of more than 500,000 applications are analysed for the top ten list, alongside an industry survey. The contributed data looks at past trends whereas the industry survey focuses more on forecasting new ones.  

Despite the fact the most recent survey utilised open-ended questions for the first time, the dataset only represents security issues that can be detected using automated tests. Therefore, two of the OWASP top ten are voted upon by the community. 

Looking at the make-up of the top three in particular, broken access controls and injection are the most commonly encountered issues in application testing. Cryptographic failures, on the other hand, are at number two due to being commonly missed and having the potential to lead to significant breaches.  

To see where potential vulnerabilities lie in your companies Web applications, you can get a free score from Securiwiser.

How secure is

your business?

Security test
How secure is

your business?

Security test