Laravel Security: OWASP Top 10 Overview

What is the OWASP Top 10, and why is it important?

Laravel Security: OWASP Top 10 Overview

Greetings my friends! Firstly, I want to give a huge welcome to the new folks who have joined us since Laracon Online1, it’s awesome to have you here! 😁

As I mentioned a couple of weeks ago, we’re going to start diving into the OWASP Top 102, so this email will kick us off with a summary of what it is (in case you’ve never heard of it before) and how I plan to tackle it over the coming weeks. I’ll aim to dive into all of the aspects that are relevant to Laravel from the Top 10 throughout the series, but please let me know if there are specific things you’re most interested in.

👉 Looking for a Laravel Security Audit / Penetration Test for your project? 🕵️

Looking to learn more?
Security Tip #2: Policy Filters
▶️ In Depth #1: Encryption

OWASP Top 10

The Open Web Application Security Project (OWASP) Top 10 is a list of the top 10 most important security risks for web applications, as chosen by security experts, based on data and insights from security companies.

The OWASP Top 10 for 2021 is:

The “OWASP Top 10” may get thrown around a lot as a buzzword, especially in the enterprise and compliance worlds, but it is an incredibly useful security education tool, and provides a common way to categorise risks within applications. However you can’t blindly take it as a “security checklist”, but instead you need to understand each risk and how it relates specifically to your framework, infrastructure, and project.

Over time the Top 10 has shifted away from specific vulnerabilities (you might remember IDORs were in the 2007 Top 10), and more towards generic categories for each risk. This makes the list more flexible, but since these categories can encompass a wide variety of specific attacks and techniques, it can make it hard to understand what specific topics are covered in each.

OWASP go through the process every couple of years of producing an updated Top 10 list, with the most recent having been compiled in 2021. Prior to 2021 the list was based entirely on data from security companies, however in 2021 they decided to rank only the top 8 risks as reported through data, and include the final 2 based on community feedback. These approach allows the list to reflect important risks which may not be accurately represented in the data.

The homepage for the project outlines the current Top 10 risks, and what changes have occurred over since the previous Top 10 was released3, and if you’re interested, it’s fascinating to read how and why they have moved around over time.

For example, you can see in the following image the changes between the 2017 and 2021 lists. Some of the categories have been merged, such as XSS into Injection, and new categories added (i.e. Insecure Design).

Image showing the changes between 2017 and 2021 Top 10 risks, as outlined on the OWASP Top 10 homepage.
Top 10 risks changes between 2017 and 2021.

Why the OWASP Top 10 is Important

The OWASP Top 10 is important because it indicates common areas that are often overlooked or missed when securing web applications. It may sound enterprise-y and generic, and not applicable to small web projects, but I need to point out that the top 3 are common weaknesses I find when auditing Laravel apps, with most of the others featuring in many audits too. So it’s worth is immediately apparent to me, based on my experience within the Laravel community.

The structure of the Top 10 lends itself well to educational materials (like LSID), and it provides a common ground between developers, security folks, and management, where even level can understand what is being discussed and the associated risks.

It’s also commonly required for security compliance and security awareness training, plus job interviews and contractor requirements, so having a good understanding of the Top 10 will make completing those processes much easier. You shouldn’t need to memorise the list, but understanding what each risk means and how it applies really helps.

💡 Dev Team Leads & Managers
Sign up for a group subscription to Laravel Security in Depth, so your whole dev team can learn about the OWASP Top 10 and why it’s important.

The Plan

We’ll be tackling a new risk each week, in place of the usual security tips and In Depths. I’ll keep things simple and work through the list in order, meaning next week will be ‘A01:2021-Broken Access Control’. Once we’ve covered all 10 risks, we’ll shift back to our previous Tips and In Depth cadence.

The length of the emails will vary, depending on how relevant the risk is to a Laravel project. Taking more time for the risks that are more common and relevant in the Laravel community, plus any topics you’ve shown more interest in. Some of the risks will no doubt overlap with previous tips and In Depths, which I’ll be linking back to as well.

I’m looking forward to taking this journey through the OWASP Top 10 with all of you!

  1. For those who missed Laracon Online, you can find all of the talks on YouTube, or just straight to my talk on Browser Security features at the end. Also, don’t forget to checkout the digital swag, from the fantastic sponsors of the event.

  2. Is it “Top 10” or “Top Ten”? 😕 As someone who likes consistency, having both formats used on their official page is frustrating!

  3. Frustratingly, this is basically all it does… it doesn’t really provide an adequate summary for those who just want to learn about the Top 10. 😔