back to article Hey – how did you get in here? Number one app security weakness of 2021 was borked access control, says OWASP

The Open Web App Security Project has released its Top Ten list of vulnerabilities in web software, as part of the general movement to make software less painfully insecure at the design stage. Among new entries in the top 10 flaws highlighted by the project are "insecure design", relating to specific design flaws, and " …

  1. Terry 6 Silver badge

    with other common weaknesses...

    So every year they rank a set of flaws that are common and, judging by this, well known. And next year they'll rank them again. So what's the point of this list?

    1. FILE_ID.DIZ
      Boffin

      Re: with other common weaknesses...

      Reinforcement.

      Same reason we still have PSAs about wearing seat belts or drink driving or warnings that hot coffee is hot.

    2. Sgt_Oddball

      Re: with other common weaknesses...

      It's also good to keep track of new threats as they occur. Whilst for the most part there's not that much to change year on year but as time goes on things change.

      Even this years list has 3 new listings. These are worth paying attention to because arrogance that you're secured against last year's list does not mean you're covered for this year's too.

      Remember, those seeking to do bad things have to be right once. It's a devs responsibility to never let them be right (it's also on management to ensure that checks and balances are in place and occur regularly as no dev should be an island)

    3. TaabuTheCat

      Re: with other common weaknesses...

      Because as the article noted, some orgs believe if they just follow this list (or the CIS Top 20, or Bob's Security 100 for Dummies), they've done their part. Truly a curse indeed when used this way. But it's *something*, and maybe at least gets people thinking a bit and addressing the low-hanging fruit. But as noted, it's reactionary, and that's never a good place to be in InfoSec.

      1. Loyal Commenter Silver badge

        Re: with other common weaknesses...

        It's not necessarily reactionary [sic]. Any org that is serious about securing software will at least have made sure their devs have ticked off this list before handing over their software to external pen testers, prior to releasing it. That's a proactive approach, not a reactive one. You can't expect devs to be security experts, but OWASP does give them useful pointers, and thus instructions, in what to do to make software moderately secure against common threats.

        Security is hard, and a proper approach is multi-layered. Just because one layer doesn't catch everything doesn't make it a futile effort. If that were the case, you'd not have a front door on your house, on the grounds that a determined enough attacker could kick it down with enough effort.

  2. ItWasn'tMe

    Needs to be announced to music

    https://youtu.be/bY85ET2gXGQ

    Not sure if you left pondians have an equivalent tune?

    1. Thomas Steven 1

      Re: Needs to be announced to music

      I'd personally go with https://www.youtube.com/watch?v=jHPOzQzk9Qo

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like