Next Steps – The #11 Web Application Security Risk

Web application security is an ever-evolving challenge. While awareness of OWASP’s Top 10 web application security risks is critical, new threats continuously emerge that developers need to stay on top of. OWASP highlights three additional risk categories worth focusing on: code quality issues, denial of service attacks, and memory management risks.

Code Quality Concerns

How code is written can introduce vulnerabilities apart from common risks like injection attacks. Code quality issues mentioned by OWASP include:

  • Conversion errors where data gets interpreted incorrectly between contexts

  • Exposing sensitive information through debug logs and practices

  • Time-of-check and time-of-use race conditions that allow data to change after validation

These types of flaws can lurk in code for a long time. Static and dynamic analysis tools offered in IDEs and CI/CD pipelines can detect code quality problems early. Performing security audits and following best practices around handling data and user input also helps avoid surprises down the road.

CWEs Mapped 765
Max Incidence Rate 3849.46%
Avg Incidence Rate 2.22%
Avg Weighted Exploit 7.16
Avg Weighted Impact 6.76
Max Coverage 0.85%
Avg Coverage 23.42%
Total Occurrences 101736
Total CVEs 765

A11:2021 – Next Steps

Denial of Service Dangers

Denial of service (DoS) attacks aim to make applications unusable for legitimate users by overloading systems and crashing applications. Sometimes DoS vulnerabilities get introduced unintentionally through poor design. An app that allows unauthenticated users to download or manipulate files in a way that consumes excessive disk space or memory makes for an easy DoS target.

OWASP advises performing load and performance testing around areas like memory, CPU, disk I/O early in development. Building in caching, rate limiting, and efficiency improvements makes applications more resilient when under stress. Refer to OWASP’s DoS cheat sheet for additional defensive recommendations.

Memory Management Risks

Higher level languages on web platforms get built on system languages like C and C++ with their own memory management intricacies. One common memory-related attack is a buffer overflow where attackers override parts of memory to break applications or gain control.

For mitigation, OWASP suggests using memory-safe languages like Rust and Go whenever possible. Thorough testing for memory management issues remains imperative, especially in large and complex apps. Enforcing least privilege principles also reduces the blast radius possible from memory-based attacks.

CWEs Mapped 16184
Max Incidence Rate 147.03%
Avg Incidence Rate 1.16%
Avg Weighted Exploit 6.78
Avg Weighted Impact 8.15
Max Coverage 6.06%
Avg Coverage 31.74%
Total Occurrences 26576
Total CVEs 16184

An Evolving List

The risks above illustrate that even with robust awareness of the OWASP Top 10, web app security demands ongoing vigilance. Check out other OWASP projects like the Web Security Testing Guide for help going beyond the Top 10 risks all developers should be familiar with.

Leave a Reply

Your email address will not be published. Required fields are marked *