OWASP®, the Open Web Application Security Project®, recently updated their list of the Top 10 Web Application Security Risks. An online community led by the OWASP Foundation, the project was established in 2003 to provide developers and security professionals with resources to help improve web application security.
Because virtually every organization today uses web apps, and many publish their own apps for commercial use or for use by customers, internal users or contract workers, the OWASP Top 10 is essential reading for virtually all security and IT professionals.
The Current Top Three
The three risks that currently top the OWASP list are:
- Broken Access Control
- Cryptographic Failures
All three of these risks have been present since at least 2017 (“Cryptographic Failures” was previously termed “Sensitive Data Exposure”) but their relative importance has shifted. Today, broken access control is considered the most serious risk, up from fifth place in the earlier version. OWASP lists 34 different “Common Weakness Enumerations (CWEs)” that map to Broken Access Control, and found more occurrences of these CWEs in actual applications than was the case for any other category. Cryptographic Failures have moved up to second place, while Injection dropped from first place to third.
Access Control is considered to be “broken” when app users are able to act outside of their intended permissions. This may occur because an application provides insufficient access control mechanisms or because the mechanisms that are available are poorly implemented by an organization. Examples may include over-privileged user accounts, user access to others’ accounts, or activity that is likely malicious such metadata manipulation or use of an attack tool to modify API requests.
OWASP’s decision to replace “sensitive data exposure” with “cryptographic failure” is based on the concept that exposure is a symptom of the more basic failure to ensure that data is properly encrypted in transit and at rest. They reason that properly encrypted data will remain unexposed even if it falls into the hands of unauthorized parties due to broken access control or other factors.
Injection flaws allow “untrusted data to be sent to an interpreter as part of a command or query.” This is the classic attack scenario, with injected malware triggering execution of undesired commands or enabling illicit access.
Building In, Building On
The OWASP Top 10 describe the security risks that organizations should avoid – or at least, aim to minimize — when designing web apps or managing their use. The catch is, of course, that organizations use so many apps, and the apps are so complex, and change so rapidly – due to updates, patching, feature additions and so on – that it is virtually impossible for either app developers or app users to ensure full, continuous compliance with the OWASP Top 10. Adding an extra layer of protection on top of all apps is essential to protect the data the apps can access, the servers or clouds where they reside, the networks they’re linked to, and the apps, themselves, from danger.
For many years, organizations have counted on Web Application Firewalls (WAF) to provide that extra layer of protection. But WAFs are based on a “detect and defend” approach that is simply ineffective against the majority of threats. Recent studies have found that over half of application layer attacks bypass organization WAFs. Many of the “attacks” that WAFs do detect are, in fact, false positives that burden staff without effectively reducing risk. And WAFs certainly cannot protect apps or app data from misuse or over-privileged access by authorized users.
Unmanaged Device/3rd Party Access Risk
As perimeter-based solutions, WAFs are also ineffective against one of the key application access control challenges that businesses face: How to control app access and usage by users who work on unmanaged devices, and protect apps, resources and data from exposure and attack.
For the many organizations, 3rd party contractors and/or employees who access corporate apps via unmanaged devices pose a significant security challenge. Once access is authorized, actions undertaken– lateral movement, data exfiltration, even uploading of malware — are difficult to control. Yet more than ever, organizations are depending on contractors whose work entails use of corporate apps.
Web Application Isolation brings a completely different approach to securing web apps and corporate resources. WAI inverts Remote Browser Isolation (RBI), a technology that is widely used to protect organizations endpoints and networks from malicious content on websites. WAI instead uses RBI to create a two-way airgap, in the form of a cloud-based container, between user devices and apps, which may be located on premises, cloud-based, or SaaS apps. In essence, it serves as an additional layer of access control to protect apps and their users, in the event that native app access control is flawed.
Within the cloud-based WAI container, granular, personalized controls are applied to restrict what each user can see and what actions they can take while using each app. Content that a user sees or works with within an app never actually reaches their browser; the data with which they interact is actually rendering data that disappears as soon as they finish using the app, so it cannot be exposed via the browser cache.
Clipboarding controls can be applied to restrict copy/paste and printing from the browser, as well as in-app functions such as file downloads and printing. For users whose policy-based permissions include downloading data from apps, data loss protection (DLP) may be applied to scrub PII and other sensitive information before data downloads.
WAI likewise protects corporate web apps, web sites, data, networks, and clouds from malware on unmanaged user devices. Just as data from apps is airgapped from user devices, no code from a user’s unmanaged device can reach an app accessed via WAI. In fact, since users (or potential hackers) cannot even see website or app source code to probe it for flaws, WAI substantially shrinks the potential attack surface. In short, WAI protects applications from potential injection from malware-infected devices as well as from broken access control — the #1 and #3 risks on the OWASP list.
Significantly for organizations that may contract with 3rd party workers located anywhere, worldwide, WAI is a fully clientless solution. All policies and security controls are applied in the cloud, so there is no need to install software on endpoints or even require use of a dedicated browser. Yet users enjoy full, seamless and interactive use of websites and apps.
Today’s trends — the moves to the cloud, to remote work, to SaaS and to 3rd party work – all point to the need to increase web application security and to protect organizations from risks entailed in app use, particularly by remote users and those working from unmanaged devices. Given the increasingly distributed digital model indicated by these trends, cloud-based solutions are the only answer for securing work today.
For more information on how WAI addresses all of the OWASP Top 10 app security risks, download our “WAI and the OWASP Top Ten” white paper.