The past and the present
The new updated 2017 top 10 has a number of moves, merges and three new entries.
Perhaps unsurprisingly the A1 and A2 spots remain the same going into 2017, however Sensitive Data exposure now moves up to the A3 spot. The A4 spot brings the first new entry into the top 10, Namely XML external entities (XEE). A5 – Broken Access Control is a new category formed of the 2013 A4 and A7. At the A6 position is Security Misconfigurations, down from A5 in 2013 list. Cross Site scripting (XSS) drops from the A3 spot in 2013 to the A7 position in the 2017 list. A8 sees the second new entry into the top 10 – Insecure Deserialization, an entry that originated from the OWASP community. A9 sees no change on 2013. Insufficient logging and monitoring makes its first appearance as the third new entry in the 2017 list at A10. The 2013 entries Cross site request Forgery (CSRF) and Unvalidated Redirects and Forwards disappear from the top 10 list.
In the coming weeks we will spend some time looking specifically at the impact of the new entries into the top 10, and what they mean both for DevOps and Application Security.
Why no change at the top?
The top two haven’t changed since 2013. In fact, A1 – SQL injection has been no.1 since 2010. Let’s take a look at the top two in a little more detail.
A1 – Injection
There are many forms of injection attacks, cross site scripting, SQL injection
are but two of them, although these two are perhaps the most comment and prevalent types of attacks in this category. These attacks typically allow the attacker to send untrusted data to the program which in turn is interpreted as a command and carried out, resulting in a vast range of damage from denial of service right the way though to full control of the device, and the ability to access an entire database full of personal addressable information.
In 2017 statistics show that injection attacks, despite the high media grabbing attacks such as WannaCry and NotPetya, are running at approx. 50% of the total number of breaches
identified which is why injection attacks remain in the A1 spot for the 7 year running. And this is despite advances in coding practises, easy to obtain best practise and securing against injection attack guides being readily available to DevOps.
A2 – Broken Authentication
And so we come to the number 2 spot. Broken authentication is a combination of readily available username / password pairs obtained through various means (including injection attacks) and the ability to use credential stuffing in an application to rapidly test many username/password combinations until a match is successful. Other causes of broken authentication are the allowance of weak or default passwords (Password, Admin etc) or the lack of two factor authentication.
Breaches such as the recent Uber breach
or the Deloitte breach
can be attributed to a form of Broken authentication attack. DevOps can address and mitigate Broken Authentication through improving authentication mechanisms such as weak password checks, hardening the registration and enumeration processes, employing server side secure session mangers and of course employing 2FA into the sign on process as a default.