Beyond the OWASP Top 10: What Are the Next Big Threats to Watch?
By Meghan Jacquot, Security Engineer at Inspectiv
All security professionals have some go-to tools. The resources StackOverflow and GitHub, vulnerability search engine ExploitDB, and MITRE’s CVE database all make the cut, and the OWASP Top 10 certainly does as well.
But as threats continue to evolve and cyber criminals get more creative in their hunt for vulnerable elements of your enterprise, security professionals need to widen their aperture and go above and beyond the Top 10.
While the Open Worldwide Application Security Project (OWASP) Top 10 list of web application security vulnerabilities is certainly a great start to prioritize patching in your enterprise, it’s worth taking a moment to explore the next big threats on the horizon.
Here are five cybersecurity threats that the Inspectiv team is watching, and the steps your organization can take to mitigate them.
Beyond the OWASP Top 10: Five Threats to Watch
1. Vulnerable Microservices
The continued demand for web-accessible services that are widely available and have predictable costs has fueled the rise in microservices. This approach to software development—where software is deployed as a collection of smaller independent software services connected via APIs owned by individual teams—allows for agile, efficient services.
However, as an organization increases its microservices-based approach, it can introduce a range of new risks:
- Each microservice comes with its own attack surface and needs to be separately managed, secured, and monitored.
- Connectivity across microservices and back to their developers expands access to internal networks and applications, which could introduce denial-of-service attacks, data transport security risks, and service permission misconfigurations.
- Microservices often run within dedicated containers that are highly replicable, meaning propagation of potentially vulnerable code can spread as the services are redeployed.
2. Vulnerability Variants
When a patch or fix is released for a vulnerability categorized as “severe” and is deployed, security teams can all do a collective sigh of relief. However, as Google’s Project Zero has found, this may not always be the case.
Most notably, of the 18 0-day vulnerabilities identified in the first half of 2022, Google’s team found that at least half were “variants of previously patched vulnerabilities.” This means that these vulnerabilities could have been prevented “with more comprehensive patching and regression tests.”
As Google’s team notes, security teams can take some of the following steps to prevent their organization from falling victim to a variant of a previously “patched” vulnerability. These include investing in in-depth:
- Root cause analysis: To understand the underlying vulnerability that is being exploited and how so a proper patch can be deployed.
- Variant analysis: Testing to see if the same bug pattern can be found elsewhere and if it needs a similar or different fix.
- Patch analysis: Reviewing the proposed fix for completeness.
- Exploit technique analysis: Understanding the access gained from the vulnerability and if variants could result in different accesses or accesses via different methods.
3. Rise of Mobile Malware
With more work and education occurring on-the-go, many users are turning toward tablets and smartphones to stay connected and productive. In turn, they are allowing access to more apps and services via their mobile browsers thereby increasing their attack surface.
While Apple’s iOS is known for its inability to allow for protections against non-approved code to sideload on its operating system, the more open source nature of other operating systems has provided ample opportunities for cyber criminals to take advantage of the rise in mobile phone use. In particular, these mobile-based threats include:
- Malware capable of extracting sensitive information, including saved passwords, credit card numbers, contact information, and more.
- SMS phishing (known as smishing) that tricks users into entering sensitive information into a text message or fake website.
- Seemingly innocuous apps that disguise malicious functionality.
- Impersonation of mobile providers in order to download trojan malware.
4. SQL Injection
SQL injection risks are seemingly as old as the cybersecurity field itself, but security professionals are still unable to shake this threat. In late January 2023, global communications giant Cisco announced patches for “high-severity SQL injection” vulnerabilities associated with their Unified Communications Manager (CM) and Unified Communications Manager Session Management Edition tools.
Despite being a decades-old risk, the Cisco vulnerability—which takes advantage of well-crafted SQL queries to bypass security and data validation checks and gain unauthorized access—proves that SQL injection is still a very real threat in 2023. Add in web-based forms and connectivity, and the attack surface and potential downstream impacts grow even more severe.
5. Insecure Design
We know that insecure design was introduced by OWASP for their Top 10 list in 2021, but the risks associated with this vulnerability are so important and diverse that the Inspectiv team wanted to give it extra attention.
According to OWASP, insecure design includes weaknesses that are a result of missing or ineffective control design unrelated to an insecure or flawed implementation. In other words, even if an application was perfectly implemented, there would still be security vulnerabilities as that were never accounted for in the design process.
As more applications move to the cloud or become internet-facing to enable mobile users and allow remote work and education programs, secure design—a methodology that constantly evaluates threats and ensures that code is robustly designed and tested to prevent known attack methods—takes on additional importance.
How to Be Prepared for the OWASP Top 10 And Beyond
Security risks are constantly evolving, so it’s more important than ever for organizations to invest in the foundational elements of a strong cybersecurity program. However, there is no one-size-fits-all approach. Every organization’s applications, operations, scale, and threats are different and their security controls need to align with their operations and values.
Regardless of the maturity level of your cybersecurity program, these are the foundations of a resilient, secure organization:
Make security an essential part of software implementations.
To overcome the OWASP Top 10 risk of Insecure Design, organizations need to go beyond just evaluating the strength of security controls during the testing phase of development and “shift security everywhere” by including security requirements throughout the continuous integration and continuous delivery/continuous deployment (CI/CD) pipeline. In addition to introducing more secure products, organizations can save time and money by avoiding costly bugs found later close to production.
Invest in security awareness training.
Building and maintaining a strong cybersecurity program takes constant investment, effort, and engagement, especially as our personal and professional lives continue to become intertwined in online and digital services. And with over 82% of breaches involving a human element—from social engineering attacks to malicious or unintentional acts— defense in depth matters. We must have layers of security so that when someone clicks a link as part of their job it does not lead to instant compromise. That’s why a comprehensive and dynamic security awareness training program is so important.
Some of the most effective training programs include:
- Ongoing lessons, tips, and updates on best practices, warning signs, and expectations.
- Clear, specific, and regular messages that show the value and purpose of awareness.
- Engagement across your organization, encouraging involvement and demonstrating its importance.
- Elements to encourage engagement to overcome the fear of blame or punishment for security-related mistakes.
Go beyond strong passwords.
Cyber criminals have more than 15 billion stolen credentials to choose from to launch attacks against your organization and its employees. With the right combination of information and a bit of luck, these attackers can gain access to internal network devices, sensitive data, and customer information.
Despite the risks, organizations are still slow to introduce a proven method to enable stronger authentication and protection: multi-factor authentication (MFA). In addition to helping organizations comply with standards like NIST and GDPR, MFA helps organizations by adding an additional layer of protection from stolen, reused, or weak passwords. These protections have become increasingly important as the use of mobile applications continues to rise.
Bring in expert threat hunters.
Measuring the strength of your security program and refining your controls should be a continuous process. The defenses that thwarted attackers in the past could be ineffective as new software, upgrades, or exploits are introduced.
This is why more organizations are turning towards experts that can deliver the threat intelligence, vulnerability detection, and remediation capabilities needed to identify issues early and reduce the risk of security issues.
Putting These Best Practices Into Action
Ready to learn more about how Inspectiv can take your organization’s cybersecurity to the next level? Click below to set up your own personalized demo of the Inspectiv platform.