author photo
By Devon Warren-Kachelein
Mon | Sep 20, 2021 | 10:02 AM PDT

There is no question, we have seen a few unprecedented cyberattacks in 2021 with the rise of ransomware. But what are the biggest vulnerabilities to apps and software in particular this year?

Apps and software, when not designed with proper threat modelling, can lead to bad things for a business and the consumers. Vulnerabilities within a program or app cause problems such as the recently reported bug with HP Omen Gaming Hub, which revealed a potential hole for attackers that did reach millions.

The Open Web Application Software Project (OWASP) compiled data from several major cybersecurity organizations to create a list of top web and app security weaknesses. Just a few of the contributing organizations include GitLab, AppSec Labs, Micro Focus, and Sqreen. Some organizations contributed to the report but chose to remain anonymous.

Let's dive into the list and walk through how these weaknesses could mean devastation for your organization.

OWASP reports top 10 web and app weaknesses

1. Broken access control
According to OWASP, this attack moved into the top spot from sixth place last year. This kind of weakness can be potentially devastating. 

"Design and management of access controls is a complex and dynamic problem that applies business, organizational, and legal constraints to a technical implementation. Access control design decisions have to be made by humans, not technology, and the potential for errors is high," according to PortSwigger.

2. Cryptographic failures
This kind of weakness happens when sensitive data is not stored correctly.

"The renewed focus here is on failures related to cryptography, which often leads to sensitive data exposure or system compromise," said OWASP.

3. Injection
An attacker injects malicious code into a network, which allows the data to be returned to the hacker. This weakness fell into spot three from spot two last year and includes cross-site scripting for 2021.

4. Insecure design
A final deliverable equals cash flow. When organizations are too eager to release their products to the business or consumers, sometimes they miss critical components in a rush to release new apps or software.

"If we genuinely want to 'move left' as an industry, it calls for more use of threat modeling, secure design patterns and principles, and reference architectures," said OWASP.

5. Security misconfiguration
Simply put, this means a failure to implement all proper security measures before releasing a product.

"90% of applications were tested for some form of misconfiguration. With more shifts into highly configurable software, it's not surprising to see this category move up," said OWASP.

6. Vulnerable and outdated components
A dangerous one moved up from the ninth slot from last year. For instance, our own government faced this problem during the COVID-19 pandemic.

Did you know the world's economy still runs largely on mainframe computers? This was an interesting tidbit by presenter Elizabeth Schweinsberg, an engineer with the United States Digital Service department, at this year's Women in Cyber Security (WiCyS) conference.

"Do you remember March and April of 2020 as the national public health crisis was starting to ramp up? There was an explosion of unemployment claims to states and a similarly sized explosion of news articles about how those states were using mainframes to pay for unemployment. Where did those mainframes come from? Fun fact: They were our own," Schweinsberg said.

7. Identification and authentication failures
Microsoft made headway going passwordless, which largely relied on a two-factor verification method. But what happens when these identification measures fail? This can be a major headache for fellow colleagues or consumers. These types of attacks could potentially lead to bad actors selling data on the Dark Web.

8. Software and data integrity failures
Data integrity breaches are when an attacker can modify information. Attackers can view the data, then compromise the integrity of the information. An attacker could allow anyone to question their reality in a kind of online gaslighting method.

"Insecure Deserialization from 2017 is now a part of this larger category," said OWASP.

9. Security logging and monitoring failures
A common example in the last two years is the Titan Incident, a network attack where the University of Oslo was the victim. This cyberattack caused a professor to disconnect their research computer from the internet.

"This category is expanded to include more types of failures, is challenging to test for, and isn't well represented in the CVE/CVSS data. However, failures in this category can directly impact visibility, incident alerting, and forensics," said OWASP.

10. Server-side request forgery (SSRF)
This is another type of attack, which allows a hacker to manipulate information.

"The data shows a relatively low incidence rate with above average testing coverage, along with above-average ratings for Exploit and Impact potential. This category represents the scenario where the industry professionals are telling us this is important, even though it's not illustrated in the data at this time," said OWASP.

Is your organization having trouble with any of the issues outlined by OWASP? Share your feedback in the comments below about how your business is addressing those weaknesses.

Learn more about this study by visiting the website here.

[RESOURCE: Join Ryan Mostiller, Regional Cybersecurity Manager at Faurecia, at SecureWorld's Great Lakes virtual conference for his presentation, "Show Off the Skeletons in Your Closet." Mostiller will be discussing how to identify, discover, and document the worst security weaknesses at your organization.]

Comments