Author: Editorial Team
-
A09:2021 – Security Logging and Monitoring Failures
1. Overview Security Logging and Monitoring Failures occur when applications and systems do not log security-relevant events or fail to monitor them effectively. This weakness can delay or prevent the detection of attacks, allowing attackers to exploit vulnerabilities, steal sensitive data, or disrupt systems without being noticed. 2. Description This category is to help detect,…
-
A08:2021 – Software and Data Integrity Failures
1. Overview Software and Data Integrity Failures occur when applications fail to verify the integrity of software updates, critical data, or code libraries. This category highlights vulnerabilities introduced by using untrusted sources or insufficient mechanisms to ensure that data or software has not been tampered with. Such failures can lead to supply chain attacks, data…
-
A07:2021 – Identification and Authentication Failures
1. Overview Identification and Authentication Failures occur when mechanisms designed to verify the identity of users are improperly implemented, bypassed, or vulnerable to attacks. These vulnerabilities can lead to unauthorized access, impersonation, or account compromise. Confirmation of the user’s identity, authentication, and session management is critical to protect against authentication-related attacks. There may be authentication…
-
A06:2021 – Vulnerable and Outdated Components
1. Overview The Vulnerable and Outdated Components category highlights risks associated with using software components, libraries, frameworks, or dependencies with known vulnerabilities or outdated versions. Modern applications often rely heavily on third-party components, which, if not properly managed, can expose systems to serious security risks. 2. Description You are likely vulnerable: 3. How to Prevent…
-
A05:2021 – Security Misconfiguration
1. Overview Security Misconfiguration refers to improperly configured systems, services, or applications that leave systems vulnerable to attacks. It is one of the most common and often overlooked vulnerabilities in application security. Misconfigurations can occur at any layer of the application stack, including network, web server, database, API, or application frameworks. These errors are typically…
-
A04:2021 – Insecure Design
1. Overview A new category for 2021 focuses on risks related to design and architectural flaws, with a call for more use of threat modeling, secure design patterns, and reference architectures. As a community we need to move beyond “shift-left” in the coding space to pre-code activities that are critical for the principles of Secure…
-
A03:2021 – Injection
1. Overview Injection vulnerabilities occur when an attacker sends malicious input into an application, causing it to execute unintended commands or access unauthorized data. This type of vulnerability is one of the most severe and prevalent in web applications and other software systems. Injection attacks exploit the application’s failure to properly validate or sanitize user…
-
A02:2021 – Cryptographic Failures
1. Overview A02:2021 – Cryptographic Failures is one of the security risks identified in the OWASP Top 10 for 2021. It highlights vulnerabilities caused by improper implementation, use, or management of cryptographic systems in applications. Cryptographic failures occur when sensitive data is inadequately protected. This category was previously called “Sensitive Data Exposure” but was renamed…
-
Handling time zones in distributed systems
1. Introduction Managing dates and times in applications is a frequent but complex challenge that demands careful design and implementation to ensure accuracy. This complexity increases when applications cater to users worldwide, each operating in different time zones. Additionally, many countries—or even specific regions within them—observe Daylight Saving Time (DST), adding another layer of intricacy…
-
A01: 2021 – Broken Access Control
1. What is access control? Access control is a security mechanism that regulates and restricts who or what can view, access, or modify resources in a system or application. Its primary purpose is to ensure that only authorized users or entities have access to specific resources, while unauthorized access is prevented. Access control is a…