Application vulnerabilities: Important lessons from the OWASP top 10 about application security risks

Application vulnerabilities are an inevitable byproduct of modern software development, but the OWASP Top 10 provides important lessons for mitigating application security risks.

In today’s complex multicloud environments, ensuring that your cloud applications are protected and secure is critical. Application vulnerabilities are an inevitable byproduct of the growth of agile development techniques and can be tricky to spot and address. While these vulnerabilities aren’t anything new, the modular and distributed nature of modern software development introduces a new potential for application security risks. As a result, web app attacks are the fastest-growing attack vector according to a recent data breach investigations report.

The advent of microservices and serverless computing means that cloud-based applications may consist of thousands of containerized services. It is nearly impossible for teams to gain full-scope, comprehensive visibility into environments that are so complex. However, with DevSecOps automation, teams can integrate AIOps, risk prioritization, and runtime context throughout all stages of the software development lifecycle (SDLC).

To start with automated detection and resolution, it helps to understand the most common application vulnerabilities and how to prioritize and prevent them. For that, we turn to the OWASP Top 10.

The OWASP Top 10 application vulnerabilities and how to prevent them

The Open Web Application Security Project (OWASP) is a non-profit global community that promotes application security across the web. Here are some lessons we learned about the most important vulnerabilities in the OWASP’s latest list of the top 10 application vulnerabilities.

1. Broken access controls

Broken access controls are when access is unintentionally provided to pages or sections of a website that should be secured. For this situation, teams should adopt a least-privileged approach. This method involves providing the lowest level of access by default, deleting inactive accounts, and auditing server activity.

2. Cryptographic failures

Cryptographic failures are when data is transmitted in plain text, uses outdated or insecure cryptographic algorithms, or is protected by default or weak cryptographic keys. For these, it’s important to turn off auto-completing forms, encrypt data both in transit and at rest with up-to-date encryption techniques, and disable caching on data collection forms.

3. Injection

A query or command that inserts untrusted data into the interpreter, causing it to generate unintended commands or expose data. For this, best practices would be to segregate commands from data, use parameterized SQL queries, and eliminate the interpreter by using a safe application program interface, if possible. Implement runtime application protection capabilities that continuously detect and block common application attacks such as SQL injections and command injections.

4. Insecure design

This broad category refers to fundamental design flaws in the application caused by a failure to implement necessary security controls during the design stage. Use a safe development life cycle with secure design patterns and components. Apply threat modeling and plausibility checks. List use and misuse cases at each tier of the application. Extend observability to pre-production environments to catch vulnerabilities early on.

5. Security misconfiguration

Security misconfiguration covers the basic security checks every software development process should include. For example, ensuring software stacks don’t use default accounts or passwords, error handling doesn’t reveal sensitive information, and application server frameworks use secure settings. To avoid these problems, set up automated DevSecOps release validation and security gates so that no insecure code progresses to production.

6. Vulnerable and outdated components

This is another broad category that covers libraries, frameworks, and open source components with known vulnerabilities that may not have been patched. Continuously monitor applications in runtime for known vulnerabilities and prioritize patching based on criticality: for example, adjacency to the internet and/or critical data.

7. Identification and authentication failures

Unauthorized users can access a system because of weak security or session management functions. Finding a platform that provides a holistic observability approach to application security and vulnerability management is critical. It’s important to implement multifactor authentication (MFA), monitor the availability of the MFA service, use strong passwords, avoid using default credentials, and monitor failed login attempts.

8. Software and data integrity failures

Integrity failures are a growing application security risk in continuous integration/continuous delivery (CI/CD) environments where plug-ins, libraries, or modules from untrusted sources or that contain vulnerable code can unintentionally enter the pipeline. Use trusted repositories and apply adequate segregation and access control to the CI/CD pipeline. Continuously monitor environments for vulnerabilities in runtime. Finally, determine countermeasures and remediation through deep vulnerability analysis.

9. Security logging and monitoring failures

Attackers often lurk inside compromised systems for weeks or months. Failure to monitor for unusual activity can permit wide latitude for intruders to do damage and steal data. Use logging and audit software to continuously monitor for suspicious activities and unauthorized access attempts. In addition, analyze data from a unified observability view that provides contextualized application security analytics.

10. Server-side request forgery (SSRF)

An attacker forces a server-side application to send HTTP requests that trigger forged requests sent to unexpected locations. Although not a common attack currently, SSRF is a serious potential vulnerability. Implement input validation, only accept requests in IPv4 or IPv6 format, and validate incoming domain names. Implement runtime application protection capabilities that will continuously detect and block common SSRF attacks.

How to prioritize application vulnerabilities

Scanning is the most common first step for prioritizing vulnerabilities for remediation. However, scans often turn up far more vulnerabilities than a security team can address. The standard Common Vulnerability Scoring System is a good starting point for prioritization. This system typically scores results, accounting for the type of attack, complexity, and level of access.

Additionally, prioritization must also take exploitability and business impact into account. Often, the CVSS score on its own does not help prioritize as it is designed to score the worst-case scenario and assumes the vulnerability is exploitable. Many times, a “severe” vulnerability is part of a code library that is never executed or is difficult to exploit as it is not adjacent to the internet. Additionally, the impact of exploiting the vulnerability may not be severe if it is in a part of the application that can’t access sensitive data.

Making open source safe from application security risks

Open source now makes up about 70% of modern applications, and there are thousands of known vulnerabilities in open-source code. Numerous organizations offer databases of these weaknesses, such as the Snyk Intel Vulnerability Database. The OWASP also has an extensive list of free tools for open source vulnerability detection.

In response to the growing number of potential flaws, leading monitoring and observability platforms now use artificial intelligence (AI) to detect and prioritize them using factors such as the level of risk, whether the software is in runtime use, potential internet exposure, and whether the vulnerability could compromise sensitive data.

Dynatrace Application Security automates detection and remediation of critical application vulnerabilities

Vulnerability detection and remediation can be a complicated process, especially as organizations adopt multi-cloud environments. DevSecOps teams should emphasize proactive vulnerability management and automate vulnerability detection and prioritization to the greatest extent possible to ensure quick and accurate remediation. Automation, specifically automation with AI for all these capabilities, can be very beneficial to prioritize risk based on runtime context.

Using Dynatrace Davis AI, DevSecOps teams can distinguish real vulnerabilities from potential ones and prioritize affected applications based on the severity of the exposure. Automated security monitoring with Dynatrace Application Security covers traditional hosts, cloud workloads across multiple public and private clouds, and containers. Dynatrace OneAgent proactively alerts teams when it discovers vulnerabilities and uses the Smartscape topology map to display any affected dependencies. Dynatrace Application Security combines runtime vulnerability analysis and runtime application protection to deliver a comprehensive solution for your teams. The platform allows development, security, and operations teams to build a strong DevSecOps culture, including application security along with software development agility and speed.