Understanding OWASP top 10 v2021:A04 Insecure Design
In 2021, a new category emerged, focusing on the risks associated with design and architectural flaws. This category emphasized the importance of incorporating threat modeling, secure design patterns, and reference architectures into the development process. The goal was to go beyond the traditional "shift-left" approach in coding and prioritize pre-code activities essential for the principles of Secure by Design. Notable vulnerabilities in this category, as identified by Common Weakness Enumerations (CWEs), included CWE-209 (Generation of Error Message Containing Sensitive Information), CWE-256 (Unprotected Storage of Credentials), CWE-501 (Trust Boundary Violation), and CWE-522 (Insufficiently Protected Credentials).
Definition:
Insecure design encompasses a wide range of weaknesses characterized as "missing or ineffective control design." It's important to note that insecure design is distinct from insecure implementation. The two have different root causes and require separate remediation efforts. Even with a secure design, implementation defects can lead to vulnerabilities that may be exploited. Insecure design cannot be rectified through perfect implementation because it implies that necessary security controls were never established to defend against specific attacks. One contributing factor to insecure design is the absence of business risk profiling within the software or system development process, leading to a failure to determine the required level of security design.
Requirements and Resource Management:
To address these challenges, it's crucial to gather and negotiate business requirements, including protection requirements related to data confidentiality, integrity, availability, authenticity, and business logic. Additionally, consider the exposure level of your application and the potential need for tenant segregation beyond access control. Compile technical requirements, encompassing both functional and non-functional security needs, and plan and negotiate a budget covering all design, development, testing, and operational aspects, including security-related activities.
Secure Design:
Secure design is not merely a tool or add-on; it's a culture and methodology that continuously assesses threats and ensures that code is designed and tested robustly to prevent known attack vectors. It involves integrating threat modeling into refinement sessions, thoroughly defining data flows, access control, and other security measures during user story development, and analyzing assumptions and conditions for expected and failure scenarios. Documentation of these results is crucial. Secure design entails learning from past mistakes and offering positive incentives to encourage improvements.
Secure Development Lifecycle:
Developing secure software requires adopting a secure development lifecycle, incorporating secure design patterns, employing a paved road methodology, maintaining a secured component library, using appropriate tooling, and integrating threat modeling. Collaboration with security specialists from project inception through maintenance is essential. Consider utilizing the OWASP Software Assurance Maturity Model (SAMM) to structure your secure software development efforts effectively.
Preventive Measures:
To mitigate the risks associated with insecure design, follow these steps:
- Establish and implement a secure development lifecycle in collaboration with AppSec professionals.
- Utilize a library of secure design patterns or readily available components.
- Employ threat modeling for critical aspects such as authentication, access control, business logic, and key flows.
- Incorporate security language and controls into user stories.
- Conduct plausibility checks at every application tier, from frontend to backend.
- Develop unit and integration tests to validate resistance to threat models and compile use-cases and misuse-cases for each application tier.
- Implement robust tenant segregation across all tiers.
- Manage resource consumption per user or service.
Example Attack Scenarios:
Three illustrative attack scenarios demonstrate the importance of addressing insecure design:
1. A credential recovery workflow relying on "questions and answers" violates industry standards and should be replaced with a more secure design.
2. A cinema chain's group booking discount system lacks safeguards, allowing attackers to exploit it and potentially cause significant financial losses.
3. An e-commerce website for a retail chain fails to protect against bot-driven scalpers, leading to negative publicity and customer dissatisfaction.