Work with federal information systems? Responsible for risk management, continuous monitoring, or FISMA compliance? Check out my book: FISMA and the Risk Management Framework.

Wednesday, November 18, 2009

New OWASP Top 10 RC places injection at the top of the list

The Open Web Application Security Project (OWASP) has published the first release candidate for their "Top Ten Most Critical Application Security Risks," which will supercede the previous version published in 2007. The OWASP Project team made an explicit shift to focusing on risks instead of vulnerabilities that were the focus of previous Top Ten lists, in order to call attention to risks that were likely to have the greatest impact on organizations. As described in a summary presentation separate from the RC file itself, for 2010 "Injection" takes the top position on the list, while "Cross-Site Scripting" drops to the second place from its first position in 2007 (on an interesting side note, the "Unvalidated Input" vulnerability which topped the first OWASP Top Ten list in 2004 is no longer among the issues addressed). Most of the 2007 vulnerabilities remain in some form on the 2010 risk list, with new additions for "Unvalidated Redirects and Forwards" and the re-appearance of "Security Configuration," which was absent from the 2007 list but was part of the 2004 list as "Insecure Configuration Management."

The focus on injection (not just SQL injection, but any interpreter that can be made to execute commands inserted in the data submitted to the application) is a combination of the large number of applications that are still vulnerable to this attack and the severe impact that can result from an exploitation of injection vulnerabilities. The primary mitigation for this problem boils down to input validation, whether by restricting input to stored procedures or encoding input before it is sent to the command interpreter; these are not technical complicated measures, so the prevalence of injection vulnerabilities defies easy explanation.

At first glance, the most surprising deprecation from the 2007 list may be"Information Leakage and Improper Error Handling," given the current market emphasis on data loss prevention, but this vulnerability refers to situations where systems or applications divulge too much information about their configuration, operational characteristics, or other aspects of the application that might yield details that attackers would find useful in compromising the system. What has been brought forward from previous iterations of the Top Ten list is detailed descriptions of the ways the risks are manifested and how the underlying vulnerabilities may be exploited, as well as prescriptive guidance on ways to mitigate each risk, including design-level proactive actions where applicable.

No comments:

Post a Comment