The insanity of software testing – 5 of OWASP’s top vulnerabilities explained

Analysts find the majority of applications still have at least one OWASP Top 10 vulnerability when onboarded

Test automation is a subject that is close to all our hearts. And for good reason. By infusing software with vulnerability assessment capabilities, agents can continuously analyze code in real-time, not just at the end of the DevOps process. This means that flaws can be automatically identified before they have the opportunity to strike. Doing so is eye-opening. When we did it across thousands of real-world applications recently, some seven-in-ten (71%) of them were found to have at least one of the OWASP Top Ten most rampant vulnerabilities embedded.

Whilst this number is worryingly high, it does show that certain progress is being made. When the same research was conducted just two years ago, four-in-five (80%) applications possessed at least one of these vulnerabilities. This dip in vulnerabilities surely represents the growing focus on security across organizations of all sizes worldwide and highlights the shift to teams embedding security across the entire software development lifecycle, starting with within the application teams themselves. However, it also highlights the continued need to improve the way testing is automated to ensure these vulnerabilities don’t slip through the net.

In testing, the top five most frequent vulnerabilities from the OWASP Top 10 found were:

Sensitive Data Exposure – affecting 65% of application

The top vulnerability in 2017 remains the most rampant in 2019. The importance of encrypting both web traffic and sensitive data in storage cannot be underestimated. This vulnerability is limited to flaws that put sensitive data at risk of being exposed or stolen. The potential impact of a hacker accessing this information is massive. Development teams should focus on creating a unified strategy to identify sensitive data and encrypt it wherever it goes.

Security Misconfiguration – affecting 36% of applications

Security Misconfiguration can happen when there is a failure to implement all the security controls securely for an application. It can happen at any level of an application stack including the platform, web server, application server, database, framework, and custom code. It currently affects the same proportion of applications as it did in 2017.

Broken Authentication – affecting 33% of applications

In 2017, this vulnerability affected 41% of applications. Due to poor design and implementation of most identity and access controls, the prevalence of broken authentication is widespread.

Injection – affecting 25% of applications

Injection vulnerabilities allow malicious inputs into an application. They lead to four out of the top 10 most prevalent attack types: OGNL, Expression Language, Command, and SQL injections. During an injection attack, untrusted inputs, or unauthorized code are “injected” into a program, which are then interpreted as a part of a query or command.

Broken Access Control – affecting 18% of applications

Broken Access Control combined two previous OWASP Top 10 from the 2013 list: Insecure Direct Object References and Missing Function Level Access Control. Together, this category represents flaws and gaps that allow an attacker to act as users or administrators of the application.

To dissect the trends further, we also compared the OWASP top 10 vulnerabilities across two of the most popular web application development languages – Java and .NET. We found, though, that there was minimal movement in these metrics over the last two years.

As the saying goes: the definition of insanity is doing the same thing over and over again and expecting different results. Yet, teams are seemingly not learning their lesson. None of the vulnerabilities above are new. We must, therefore, enable everyone across the software lifecycle to be able to automate testing and perform security testing within their normal workflow. By identifying and reporting results in real-time, accurate results can be provided to everyone, empowering each person responsible for the app to be responsible for its security as well.

By Katharine Watson, Lead Analyst, Contrast Security

Katharine Watson brings a wide range of analyst experience to Contrast Security. She has a history of devouring large data sets to discover knowledge and produce compelling narratives for a wide range of audiences.