The OWASP Top 10 is a ranked list of the security vulnerabilities that are seen by practitioners in the wild. It also provides guidance on how to detect and prevent those vulnerabilities. It is the go-to resource for developers and technologists who are securing the web.
When OWASP speaks, developers listen.
OWASP update their Top 10 roughly every four years, and the 2021 edition dropped earlier this month.
The 2021 edition of the OWASP Top 10 includes some significant changes
Injection has dropped from #1 — a position it has held since 2010 — to #3.
Broken Access Control makes the top of the list.
Cryptographic Failures is now #2.
This might be surprising, given the 2017 edition of the Top 10 did not mention cryptography at all. Truth be told, Cryptographic Failures is a generalisation of the 2017 edition’s #3: Sensitive Data Exposure.
OWASP describe Cryptographic Failures as a “description of a symptom, not a cause” that leads to exposure of sensitive data.
“Cryptographic Failures” includes not using encryption at all
One simple mental model for managing data is that it can exist in two states:
There are different controls you can use to encrypt data in either of these states.
For data in flight, you should ensure you are using Transport Layer Security (TLS) when sending and receiving data from your users and the systems you operate. You should also check that you are using TLS between all the components of your system, not just the public-facing side of your application.
For data at rest, you should encrypt the storage on which the data is resting. This is typically your disk volumes and backups.
But data is not "in flight" or "at rest" very often, which means we need to expand our mental model.
The third state of your data: In Use
When your data is in use, it needs to be accessible, which includes being searchable. Traditionally, encrypting your data means you can’t search it — no asking for all users whose birthday is in October, for example.
This is a huge reduction in utility, so most organisations opt not to encrypt their data while it is in use. Given the always-online nature of most databases, this means that the most sensitive information about your customers — Personally Identifying Information, healthcare records, and credit card numbers — is effectively in the clear nearly all the time.
This makes it a tempting target for attackers.
🎉 CipherStash solves this exact problem.
OWASP say we need to prepare for common cryptographic attacks
OWASP outlines a variety of attacks to defend against that roughly fall into these three categories.
Bad key management, leading to unauthorised access that appears legitimate.
Protocol downgrades, both in the ciphers used (like 3DES), and the transport itself (falling back to HTTP).
Information leaks via side channels, bulk analysis, and error messages, that can lead to inferences about the data being transported.
2. Incorrect use of cryptography
Initialisation Vectors (IVs) are ignored or reused, which leaks information about the first block of plaintext, and any common prefixes.
Insufficient randomness, which can make the ciphertext predictable.
3. Bad cryptography
Weak cryptography algorithms, like MD5 or SHA1, are easily broken by attackers, revealing the plaintext.
OWASP suggest both strategic and tactical defenses
The 2021 Top 10 outline a smorgasbord of things you can do to prevent sensitive data exposure, but the highlights are:
Classify data processed, stored, or transmitted by an application, to understand what data you need to defend, and identify appropriate controls.
Make sure to encrypt all data classified as "sensitive".
Wherever possible, use encryption that provides forward secrecy, to ensure data encrypted in the past can’t be decrypted if session keys are exposed.
Independently verify the effectiveness of encryption configuration and settings.
CipherStash is built to avoid Cryptographic Failures
CipherStash is built from the ground up to address the problems identified by Cryptographic Failures in the 2021 edition of the OWASP Top 10.
CipherStash encrypts data in flight, at rest, and in use — we never see your data in the clear, but you can still query it.
CipherStash’s encryption means your searches are encrypted, your searches are performed against encrypted data, and we return encrypted search results.
We also design our software and systems to be misuse resistant. We try very hard to be secure by default, to make sure that it is easy to do the right thing, and as hard as possible - or even impossible - to do the wrong thing.
Search your encrypted data right now: Book a demo today!