Broken Access Control is top of the OWASP Top 10 2021 list

Get a free Techzine subscription!

OWASP Top 10’s list for 2021 showed that all the highest-priority vulnerabilities have shifted and new ones have come up, since 2017. Broken Access Control took the top spot as the number one vulnerability. In a previous report, it has been in fifth place.

The 34 Common Weakness Enumerations mapped to Broken Access Control showed more occurrences in applications than any other category in the OWASP Top 10 2021.

Cryptographic Failures (known as Sensitive Data Exposure in previous reports) moved up to the second place from third place. The focus is on failures related to cryptography, that lead to sensitive data exposure or a system breach.

Credit: OWASP

Other vulnerabilities

Injection is now third, with cross-site scripting included as part of the category. New categories of vulnerabilities detailed this year include Data Integrity Failures, Server-Side Request Forgery, Software, and Insecure Design.

The latest edition of the OWASP Top 10 relies more on data than before, with eight of the ten categories gleaned off of contributed data and two categories from a high-level industry survey.

The previous efforts relied on a prescribed subset of approximately 30 CWEs with a field asking for additional findings. Organizations rarely added other information.

A new way of collecting data

The new version informing the report started by opening up the categories and asked for data, without restrictions on CWEs. It asked for the number of apps tested since 2017 and the number of apps with at least one instance of a CWE detected in testing.

The format allowed OWASP creators to track how prevalent each CWE is within the app population.

The vulnerabilities are ranked as follows:

  1. Broken Access Control
  2. Cryptographic Failures
  3. Injection
  4. Insecure Design
  5. Security Misconfiguration
  6. Vulnerable and Outdated Components
  7. Identification and Authentication Failures
  8. Software and Data Integrity Failures
  9. Security Logging and Monitoring Failures
  10. Server-Side Request Forgery