OWASP Top 10
The OWASP Top 10 is a list of the most common vulnerabilities found in web applications. It provides software development and application delivery guidelines on how to protect against these vulnerabilities. The OWASP Top 10 list is not focused on any specific product or application but recommends generic best practices for DevOps around key areas such as role validation and application security.
Progress® Kemp® LoadMaster contributes to the defense-in-depth approach to information security by providing layered application security. It:
- Is built on an optimized Linux Operating System (OS) with all default ports closed, and all unnecessary services and applications removed. User authentication to the OS is tightly controlled
- Includes built-in IDS/IPS (intrusion detection and protection)
- Allows you to secure and manage your environment with Authentication, Authorization and Accounting for intelligently controlling access to computer resources, enforcing policies, auditing usage and providing information necessary to bill for services
- Provides SSL/TLS support including: Decrypt and Re-Encrypt, Full Certificate Management, OCSP and SNI support, Full Cipher Suite management, and you can apply this to both the data plane and access to the LoadMaster
- Can include a fully featured Web Application Firewall (WAF)
The vulnerabilities identified in the OWASP Top 10 are as follows:
| OWASP VULNERABILITY | EXPLANATION |
|---|---|
| A1. Broken Access Control | Many applications don’t enforce access control on application resources after a user session has been authenticated. This can lead to vulnerabilities due to poor configuration, which can lead to data being exposed to users who shouldn’t get access. Internal application checks and verifications should be used for all access to sensitive data, and not the assumption that an authenticated session is allowed access. |
| A2. Cryptographic Failures | Sensitive data such as financial, healthcare and PII must be protected both in-transit and at rest and can be exposed by encryption errors or lack of encryption. |
| A3. Injection | This is when an attacker sends rogue content to a web application interpreter causing the interpreter to execute authorized commands. They can then run malicious code in the application context and so gain access to sensitive data or protected areas. |
| A4. Insecure Design | This is a new category that covers design and architectural flaws. Solutions include integrating security in all modeling and planning from the start of the software development process. |
| A5. Security Misconfiguration | This is a very wide catch-all section that covers a variety of scenarios, including the application of latest security patches, default enablement of unnecessary features, use of default passwords and the use of default accounts to mitigate. |
| A6. Vulnerable and Outdated Components | Third-party components, libraries and frameworks used in application development may have known vulnerabilities that compromise the overall application security. |
| A7. Identification and Authentication Failures | Incorrect implementation of authentication schemes and session management can allow unauthorized users to assume the identities of valid users. |
| A8. Software and Data Integrity Failures | This is also a new category because data security has grown to a primary concern. It covers the integrity of software updates, critical application data and CI/CD pipelines, where an attacker will tamper with them but the loss of integrity is undetected. |
| A9. Security Logging & Monitoring Failures | Many systems are not monitored well enough and as a result attacks and data losses go undetected for prolonged periods of time. This allows attackers to continue to exploit weaknesses in systems, and possibly use undetected flaws in one application to attack others. |
| A10. Server-Side Request Forgery (SSRF) | This is also a new category. An SSRF vulnerability allows an attacker to access data on a remote resource based on an unauthenticated, custom URL. If servers protected by a firewall or VPN accept unvalidated user input, even they can be subject to this vulnerability. |