OWASP Top 10 Training Course

Introduction

• Overview of OWASP, its purpose, and importance in web security for government operations.
• Explanation of the OWASP Top 10 list
  • A01:2021-Broken Access Control has moved up from the fifth position. Ninety-four percent of applications were tested for some form of broken access control, and the 34 Common Weakness Enumerations (CWEs) mapped to this category have more occurrences in applications than any other.
  • A02:2021-Cryptographic Failures has shifted up one position to #2. Previously known as Sensitive Data Exposure, this category now focuses on the root cause of cryptographic failures, which often lead to sensitive data exposure or system compromise.
  • A03:2021-Injection has slid down to the third position. Ninety-four percent of applications were tested for some form of injection, and the 33 CWEs mapped into this category have the second most occurrences in applications. Cross-site Scripting is now part of this category in this edition.
  • A04:2021-Insecure Design is a new category for 2021, focusing on risks related to design flaws. To genuinely "move left" as an industry, it calls for increased use of threat modeling, secure design patterns and principles, and reference architectures.
  • A05:2021-Security Misconfiguration has moved up from #6 in the previous edition. Ninety percent of applications were tested for some form of misconfiguration, reflecting the increasing complexity of highly configurable software. The former category for XML External Entities (XXE) is now part of this category.
  • A06:2021-Vulnerable and Outdated Components was previously titled Using Components with Known Vulnerabilities and is #2 in the Top 10 community survey. This category moves up from #9 in 2017 and remains a significant issue that we struggle to test and assess risk. It is the only category not to have any Common Vulnerability and Exposures (CVEs) mapped to the included CWEs, so default exploit and impact weights of 5.0 are factored into their scores.
  • A07:2021-Identification and Authentication Failures was previously Broken Authentication and has slid down from the second position. This category now includes CWEs related to identification failures but remains an integral part of the Top 10. The increased availability of standardized frameworks seems to be helping.
  • A08:2021-Software and Data Integrity Failures is a new category for 2021, focusing on assumptions related to software updates, critical data, and CI/CD pipelines without verifying integrity. This category has one of the highest weighted impacts from Common Vulnerability and Exposures/Common Vulnerability Scoring System (CVE/CVSS) data mapped to the 10 CWEs in this category. Insecure Deserialization from 2017 is now part of this larger category.
  • A09:2021-Security Logging and Monitoring Failures was previously Insufficient Logging & Monitoring and has moved up from #10 in the previous edition. This category, expanded to include more types of failures, is challenging to test for and isn’t well represented in CVE/CVSS data. However, failures in this category can directly impact visibility, incident alerting, and forensics.
  • A10:2021-Server-Side Request Forgery is added from the Top 10 community survey (#1). The data shows a relatively low incidence rate with above-average testing coverage and ratings for Exploit and Impact potential. This category represents the scenario where security community members have identified it as important, even though it’s not illustrated in the data at this time.

Broken Access Control

• Practical examples of broken access controls for government applications.
• Secure access controls and best practices for government systems.

Cryptographic Failures

• Detailed analysis of cryptographic failures, such as weak encryption algorithms or improper key management in government systems.
• Importance of strong cryptographic mechanisms, secure protocols (SSL/TLS), and examples of modern cryptography in web security for government operations.

Injection Attacks

• Detailed breakdown of SQL, NoSQL, OS, and LDAP injection for government applications.
• Mitigation techniques using prepared statements, parameterized queries, and escaping inputs in government systems.

Insecure Design

• Exploring design flaws that can lead to vulnerabilities, like improper input validation in government applications.
• Strategies for secure architecture and secure design principles for government systems.

Security Misconfiguration

• Real-world examples of misconfigurations in government applications.
• Steps to prevent misconfiguration, including configuration management and automation tools for government systems.

Vulnerable and Outdated Components

• Identifying risks of using vulnerable libraries and frameworks in government applications.
• Best practices for dependency management and updates for government systems.

Identification and Authentication Failures

• Common authentication issues in government applications.
• Secure authentication strategies, like multi-factor authentication and proper session handling for government systems.

Software and Data Integrity Failures

• Focus on issues like untrusted software updates and data tampering in government applications.
• Safe update mechanisms and data integrity checks for government systems.

Security Logging and Monitoring Failures

• Importance of logging security-relevant information and monitoring for suspicious activities in government applications.
• Tools and practices for proper logging and real-time monitoring to detect breaches early in government systems.

Server-Side Request Forgery (SSRF)

• Explanation of how attackers exploit SSRF vulnerabilities to access internal systems in government applications.
• Mitigation tactics, including proper input validation and firewall configurations for government systems.

Best Practices and Secure Coding

• Comprehensive discussion on best practices for secure coding in government applications.
• Tools for vulnerability detection in government systems.

Summary and Next Steps