The OWASP Top 10 2021 list includes Insecure Design as a new category, ranked as the number four critical security concern companies should be implementing processes to protect against. OWASP recommends that organizations use threat modeling to achieve secure design.
Last month, the Open Web Application Security Project (OWASP) - the nonprofit foundation that works to improve the security of software - released its new OWASP Top 10 Report of the most critical security concerns for web application security for 2021.
Created by a team of security experts from all over the world, using data drawn and analyzed from a number of organizations, it represents a broad consensus of the key recommendations that organizations should implement in their processes to mitigate security risks.
While the Top 10 is an awareness document - not a standard - this hasn’t stopped organizations using it as the de facto industry AppSec source of truth since its inception in 2003. It is a great place for organizations to begin identifying the starting points for software security.
This is how the top 10 looks this year, compared to 2017:
A noticeable new entry this year is the category of Insecure Design, which was placed straight into the fourth spot. This is in recognition of the fact that, if we really want to improve the resiliency of software, security has to begin right at the design phase.
In OWASP’s own words:
“Insecure Design is a new category for 2021, with a focus on risks related to design flaws. If we genuinely want to "move left" as an industry, we need more threat modeling, secure design patterns and principles, and reference architectures. An insecure design cannot be fixed by a perfect implementation as by definition, needed security controls were never created to defend against specific attacks.”
Insecure design means the risks related to design and architectural flaws that are built-in right from the beginning of software development, if the appropriate security mitigations are not taken.
As OWASP notes in their dedicated section on the topic of Insecure Design, this is not the same as insecure implementation. A secure design can still lead to defects if it is implemented incorrectly, resulting in vulnerabilities that may be exploited. Likewise, insecure design cannot be fixed by a perfect implementation as, by definition, needed security controls were never created to defend against specific attacks. This is why it is so critical that design is treated as its own category - some weaknesses can only be identified before implementation begins.
Identifying flaws at the design phase is what we call “starting left” in security, which is a progression of the popular DevSecOps saying to “shift left”. As OWASP highlights, secure design is as much about culture as well as methodology. This is about changing the mindset around what stage security needs to enter the application development process and it is our fundamental belief that true DevSecOps can only be achieved if security is factored in right at the outset.
Achieving Secure Design Through Threat Modeling
OWASP recommends that organizations undertake threat modeling to identify vulnerabilities in the design phase.
If this is a technique you are unfamiliar with, Threat Modeling Manifesto defines threat modeling as “analyzing representations of a system to highlight concerns about security and privacy”. In simple terms, it allows organizations to visualize and identify potential threats in software even before a line of code has been written.
This allows developers and security teams to avoid those design mistakes that might not be identifiable later down the line. It also saves organizations time and money by finding and addressing other potential threats earlier, avoiding re-work or escalations later in the development process.
By implementing threat models at the design phase, security starts to be baked into new code. Furthermore, through automation and access to comprehensive standard libraries, threat models can be run throughout the secure development lifecycle, ensuring that new vulnerabilities are continuously mitigated by countermeasures.
As the OWASP Top 10 highlights, Insecure Design is a security priority that organizations need to address today. Get in touch to find out how IriusRisk’s threat modeling platform can help you “start left” in security.
Fraser is a threat modeling product manager and evangelist. As a cyber postmodernist coming from a background of DevOps and Cloud Security, he believes that threat modeling offers a pragmatic toolkit for navigating the complex and ever-evolving intersection between software, value, and risk. He has created several experimental opensource projects including ThreatSpec and the OWASP Cloud Security project. As VP Product, Fraser is responsible for ensuring that IriusRisk gives our customers the threat modeling solutions they need to build awesome products that are secure by design.