The COVID-19 pandemic pushed many development teams into hyper-release cycles for mobile and other web application solutions for their customers. Recent research from Symantec has revealed that development environments, developer tools, web and mobile applications remain highly vulnerable to compromise.
Enterprises that prioritize the speedy delivery of web-accessible software with little regard for security must contend with an increasing likelihood that bad actors will expose, then exploit application vulnerabilities left by their development teams.
Help with reducing these risks exists in the form of a non-profit organization known as Open Web Application Security Project (OWASP), a purveyor of free and highly practical web application security guidance.
This article will provide the reader with background on the OWASP Top 10 risks, demonstrate how cybercriminals may identify or exploit some of these risks, and overview general approaches outlining how businesses may reduce their web application attack surface through the extensive web security resources provided by OWASP.
Taking a peek under the hood
From a web application security risk perspective, the 2022 Data Breach Investigation Report (DBIR) from Verizon paints an alarming picture. Data sampled from over 9700 individual cyber incidents that spanned North America, Asia, Europe, the Middle East, and Africa demonstrated 90% of the top breach patterns involve Basic Web Application Attacks (BWAA), reaching nearly 100% in some regions.
Verizon also noted that 82% of all breaches involved human behavior, such as making unintentional errors or allowing credential theft. Guidance exists which can help drive these numbers into the positive territory and allow businesses to better manage their web application risk profile.
Holding steady since 2004, the OWASP Top 10 risks project remains extensively reviewed and updated on a 3-year schedule, publishing a list of the Top 10 risks that are focused on web applications. This risk hierarchy is produced from direct research or vulnerable software uploaded to the project by OWASP members, security organizations, software developers, and other cybersecurity practitioners.
Reviews are executed against code submissions to determine the prevalence of identified vulnerabilities, resulting in a final rank for each Top 10 risk. The OWASP Top 10 is summarized below and is prioritized per the most recent 2021 standard. This article will demonstrate vulnerability discovery and approaches useful for exploiting several Top 10 risks using free resources made available by OWASP.