WHITE PAPERMitigating ApplicationSecurity ThreatsOWASP Top 10

WHITE PAPER Mitigating Application Security ThreatsIntroductionThe Open Web Application Security Project (OWASP) Top 10 identifies a set of common web application security flaws andprovides a powerful tool for raising awareness about web application security issues. Produced by a community of securityexperts from around the world, the OWASP Top 10 represents a broad consensus about the most critical web applicationsecurity flaws that should be addressed as part of an overall web application security program.The OWASP Top 10 influences and informs a wide array of industry standards and requirements, including the PaymentCard Industry (PCI) DSS standard and many government regulations. There are multiple approaches to mitigating againstthe OWASP Top 10, including secure coding practices and code reviews, but deployment of a web application firewall (WAF)remains the primary tool for addressing requirements that reference the OWASP Top 10.Updating the Top 10 ListThe OWASP team updates the Top 10 list periodically as the threat landscape changes, new technologies are leased, andthe tactics of threat actors evolve. In 2021, changes included introducing new categories, renaming some, and consolidatingseveral others. The table below from OWASP summarizes those changes:20172021A01:2017-InjectionA01:2021-Broken Access ControlA02:2017-Broken AuthenticationA02:2021-Cryptographic FailuresA03:2017-Sensitive Data ExposureA03:2021-InjectionA04:2017-XML External Entities (XXE)(New) A04:2021-Insecure DesignA05:2017-Broken Access ControlA05:2021-Security MisconfigurationA06:2017-Security MisconfigurationA06:2021-Vulnerable and Outdated ComponentsA07:2017-Cross-site Scripting (XSS)A07:2021-Identification and Authentication FailuresA08:2017-Insecure DeserializationA09:2017-Using Components with Known VulnerabilitiesA010:2017-Insufficient Logging and Monitoring(New) A08:2021-Software and Data Integrity FailuresA09:2021-Security Logging and Monitoring Failures*(New) A010:2021-Server-side Request Forgery (SSRF)**From the surveyWeb Application Security ChallengesWeb applications continue to be attractive targets to threat actors. Public-facing web apps must be exposed to theinternet to deliver the line-of-business tools that modern organizations require. Those web apps connect to backenddatabases that can touch some of our most sensitive data—customer information, credit card data, employee information,and more—making these applications a prime target for threat actors.According to the 2021 Verizon Data Breach Report (VDBR), Basic Web Application Attacks (defined as “simple webapplication attacks with a small number of steps/additional actions after the initial web application compromise”) wereinvolved in more than 20% of breaches.1 Attackers continue to probe for web application vulnerabilities, as documentedby FortiGuard Labs in Global Threat Landscape Reports Q1 2022. (See figure on the next page, Prevalence of top IPSdetections by technology during 2H 2021.)2

WHITE PAPER Mitigating Application Security ThreatsFigure 1: Prevalence of top IPS detections by technology during 2H 2021Public-facing web applications require a different approach to security. Unlike applications and services that can be securelywalled off from direct internet access, web applications must allow access to function effectively. How do you define securitypolicies to allow/block traffic to/from multiple applications, each consisting of hundreds and sometimes thousands of differentelements (URLs, parameters, and cookies)? Manually creating different policies for each element is unrealistic and does notscale as the number of web applications and their complexity grows. Web applications also change frequently—on average,companies publish 25 software updates into production per application every month (see Cybersecurity Insider’s 2021Application Security Report).2FortiWeb Web Application and API Security: A Multilayered ApproachFortiWeb’s positive security model, multilayer approach provides two key benefits: 1) superior threat detection and 2) improvedoperational efficiency. FortiWeb’s ability to detect anomalous behavior, using sophisticated two-layer machine learning relativeto the specific application being protected, enables the solution to block unknown, never-before-seen exploits. This providesthe best protection against zero-day attacks targeting your application.By creating a comprehensive security model of the application, FortiWeb can defend against a full range of known or unknownvulnerabilities, including SQL Injection, cross-site scripting, and other application layer attacks. Operationally, FortiWebmachine learning relieves you of time-consuming tasks, such as remediating false positives or manually tuning WAF rules.FortiWeb continually updates the model of your application as it evolves, enabling you to get your code into production fasterby eliminating the need for time-consuming manual WAF rules tuning and troubleshooting the false positives that plague lessadvanced WAF solutions.The FortiWeb product line protects against known and zero-day attacks using both positive and negative security models.FortiWeb enables enterprises to protect against application-level attacks, combining analytics derived from FortiGuard Labsthreat intelligence with advanced machine-learning capabilities. The analytics use advanced techniques to protect against SQLinjection, cross-site scripting, and a range of other attacks, while FortiWeb’s machine learning models your application’s actualusage and looks for malicious anomalies.3

WHITE PAPER Mitigating Application Security ThreatsFortiWeb protects sensitive data while ensuring application availability, providing flexible and reliable security to address theOWASP Top 10 by utilizing a range of in-depth security modules and technologies. Sophisticated attacks are blocked using amultilayered security approach. Incorporating a positive and a negative security module based on bidirectional traffic analysisand an embedded, machine-learning, behavioral-based anomaly detection engine, FortiWeb protects against a broad rangeof threats without the need for network re-architecture and application changes.Backed by FortiGuard LabsFortiWeb includes a full application signature dictionary to protect against known application layer attacks and application logicattacks. A sophisticated engine scans both inbound and outbound traffic, matching elements with pre-defined known exploits.Also, the solution provides an enhanced flexible engine that allows customers to write their own signatures using a regularexpression engine which provides the ability to create new and customized signatures for every application and vulnerability.FortiWeb’s signature dictionary is updated regularly and automatically via FortiGuard Labs, a security subscription servicethat delivers continuous, automated updates and offers dynamic protection based on the work of Fortinet’s Global SecurityResearch Team, which researches and develops protection against known and potential security threats.ReportingFortiWeb includes visual reporting tools that provide a detailed analyses of attack sources, types, and other elements,mapping specific incidents to the OWASP Top 10 categories (see figure 2) and providing a summary dashboard of OWASPTOP 10 dashboard reports (see figure 3).Figure 2: OWASP Top 10 Threats dashboard element4

WHITE PAPER Mitigating Application Security ThreatsFigure 3: FortiWeb Cloud example alert for A03:2021 injectionData Leak Prevention and Information DisclosureWith predefined and custom policies for masking sensitive data, customers can be assured that sensitive data logged by FortiWebis protected from unauthorized access. An important part of the OWASP Top 10, sensitive data masking is a critical task.Even when access to the system is authorized, the data itself is masked and valuable sensitive information cannot be read.Customers can use the predefined policy and have the option to create their own custom policies to automatically maskadditional fields in logs.OWASP Top 10 and FortiWeb MitigationsThe table below lists the OWASP Top 10 for 2021 and the corresponding FortiWeb mitigation techniques.OWASP Top 10DescriptionFortiWeb Mitigation1. Broken Access Broken access controlControloccurs when userscan access resourcesthey were not originallyintended to. Access toresources should onlybe provided based onleast privileges anddenied to users withoutpermissions.nBuild strong access control mechanisms by implementing FortiWeb authentication and usingcorrect user groups.nUse FortiWeb API Gateway to verify API keys, manage users, hide URLs, and rate limitaccess to APIs.nEnable FortiWeb attack signatures to protect against path traversal, forceful browsing, andaccess to sensitive files that can invoke permission elevation.nUse the FortiGuard Labs credential stuffing defense service.2. CryptographicFailuresnUse FortiWeb to force access over TLS encryption even to those applications that can beaccessed via HTTP. Use HSTS and the secure attribute when possible.nProtect client and server-side communication by only using stronger ciphers on FortiWeb.nEnable FortiWeb Attack signatures to protect against direct access to sensitive files such asetc/passwd.nUse FortiWeb signatures to block sensitive data leakage in headers and other locations.nEnable cookie encryption.nMask all sensitive fields in FortiWeb logs to make sure sensitive data cannot be read byanyone, not even administrators.As applications handlesensitive data, especiallydata covered by privacyand financial regulations(for example, GDPR orPCI-DSS), appropriateprotection for data-intransit and data-at-restmust be provided.5

WHITE PAPER Mitigating Application Security ThreatsOWASP Top 10DescriptionFortiWeb Mitigation3. InjectionOne of the oldest and still widely popular attacks, anattacker injects malicious code into a request hoping theapplication will not sanitize it. If unsanitized, the code willdo something it wasn’t supposed to do, such as retrievedata that does not belong to the user.nEnable FortiWeb Attack signatures to protect againstinjection and cross-site scripting attacks.nEnable machine learning for anomaly detection toprotect against zero-day injection attacks. Sinceinjection attacks try to exploit a vulnerability withinthe logic of the application and not necessarily avulnerability in the code itself (meaning, no validation/sanitization of input) anomaly detection protection iscritical here.nEnable machine learning for API protection toautomatically defend APIs from zero-day attacks.Alternatively, enforce XML and JSON schema validationbased on uploaded schema.SQL injection is a very common form of injection attacksbut there are many other injection types such as LDAP, OScommands, email header injections, and others.Cross-site scripting is a very dangerous and popular attackthat now is included in the Injection category of OWASPTop 10 2021.4. InsecureDesignThis new category in the OWASP Top 10 for 2021 focuseson risks related to design and architectural flaws. Theseare primarily around SLDC, not something that can berectified by an implementation.Out of Scope: To help prevent insecure design, followprogramming best practices and establish a securesoftware development lifecycle (SSDLC).An insecure design cannot be fixed by a perfectimplementation as, by definition, needed security controlswere never created to defend against specific attacks.5. SecuritySecurity misconfiguration is the failure in implementingall necessary security controls for an application. Thesemisconfigurations can be default user accounts andpasswords that weren’t disabled upon deployment,enabled software components that aren’t needed, cloudpermissions not set correctly and so on.In the OWASP Top 10 for 2021, Security Misconfigurationalso includes XML External Entities (XXE), previouslya separate OWASP category. In this attack XML inputcontaining a reference to an external entity is beingmanipulated and exploited when the XML parser isn’tconfigured correctly.6. Vulnerableand OutdatedComponentsVulnerable and outdated components refer to knownvulnerabilities (also referred to as CVEs) in components,modules, libraries, or software packages.nEnable FortiWeb Attack signatures to detect attempts toretrieve sensitive information and block access to knowndefault system URLs.nEnable FortiWeb’s Forbidden XML Entities protectionwith External Entity, Entity Expansion and XInclude toprotect against XML external entity attacks.nIntroduce FortiWeb authentication layer and force allusers to authenticate.nEnforce file security to block access to certain file types.nEnable FortiWeb attack signatures to detect attempts toexploit known CVEs.nRegularly scan applications for known vulnerabilitiesusing standard vulnerability assessment tools. Integratethe tools with FortiWeb for automatic virtual patching.nEnable client management so FortiWeb can track everyuser session.nEnable credential stuffing protection to verify usersaren’t logging in with previously identified breachedcredentials.nEnable session fixation protection and enforce sessiontimeout.nEnable cookie security “signed” or “encrypted” toprevent session hijacking.nEnable FortiWeb attack signatures.Many of these are third-party or open-source packagesthat are not controlled by customers, but are widelydeployed and incorporated in most customer applicationsas they provide standard software capability. TakeOpenSSL as an example.Vulnerabilities in these components can result in a threatto the application like any other vulnerability and can beexploited using the standard Injection attacks, XSS, bufferoverflow, and other exploits. The Log4J vulnerability is agood example of this category.7. ion and authentication failures refer toconfirmation of a user’s identity, authentication, andsession management, which is critical to protect againstauthentication-related attacks. This category moved fromsecond to down seventh position this year.This category can include credential stuffing attacks,brute force attacks, session hijacking, session fixation, andothers exploits.6

WHITE PAPER Mitigating Application Security ThreatsOWASP Top 10DescriptionFortiWeb Mitigation8. Software andData IntegrityFailuresSoftware and data integrity failures refer to code andinfrastructure that is vulnerable to integrity violations. Anexample is an application that relies on plugins, libraries,or modules from untrusted sources and repositoriesthat are not correctly verified and could be tampered orcorrupted with. This can lead to allowing attackers toexploit the application once the malicious code has beeninstalled. This was the main cause of the SolarWinds2020 supply chain attack that impacted thousands oforganizations globally.nIntroduce FortiWeb authentication to application specificadmin interfaces and/or other sensitive URLs.nEnable FortiWeb attack signatures to protect against bufferoverflows, command injection, and other attack types.Software and data integrity failures cannot by itself beprotected by a WAF as it relates to the software integrityitself. However, a WAF can help with the exploitation ofthe vulnerability it creates.9. SecurityLogging andMonitoringFailuresSecurity logging and monitoring failures were previouslynamed “Insufficient Logging and Monitoring.” Thesefailures involve weaknesses in an application’s ability todetect security risks and respond to them.Logging suspicious activity is an integral role of everysecurity system. Without logging and monitoring,breaches cannot be detected.10. Server-sideRequestForgeryNewly introduced in 2021, the server-side request forgery(SSRF) vulnerability occurs when a web application pullsdata from a remote resource based on a user-specifiedURL, without validating the URL. The attacker can forcethe application to send requests to access unintendedresources, often bypassing security controls.The FortiWeb solution includes advanced monitoring andlogging capability to quickly understand events, correlateattacks over time, and help administrators zoom in on the mostsevere threats immediately.n Attack logs include a coherent, easy to read presentationthat highlight the violation.nFortiView helps administrators dice and slice logs accordingto various criteria such as source IP, geo IP, headers, URLsand many others.nUse threat analytics. It simplifies threat detection andresponse and speeds up WAF alerts security investigation.Using machine learning, attacks are analyzed across all yourweb applications to identify common characteristics andpatterns and group them into meaningful security incidents.nEnable traffic log forward to a remote server for safe keepingand future security investigation.nEnable attack signatures to protect against SSRF attacks inknown applications.nEnable machine learning anomaly detection to protectagainst zero-day SSRF attacks.Successful SSRF attacks can result in data exfiltration,sensitive data leakage, and data theft.SummaryThe OWASP Top 10 provides a great starting point for customers to assess their current application security posture andprioritize their risk mitigation priorities. Widely adopted by many standards organizations as a baseline security metric, theOWASP Top 10 helps organizations refine their focus on application security.FortiWeb delivers the OWASP Top 10 security you need, along with API discovery and protection, bot mitigation, and advancedthreat detection.122021 DBIR Summary of Findings, Verizon.Application Security Report, Cybersecurity Insiders, 2021.www.fortinet.comCopyright 2022 Fortinet, Inc. All rights reserved. Fortinet , FortiGate , FortiCare and FortiGuard , and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other productor company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and otherconditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaserthat expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, anysuch warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwiserevise this publication without notice, and the most current version of the publication shall be applicable.June 24, 2022 3:11 PM1617247-0-0-EN

The Open Web Application Security Project (OWASP) Top 10 identifies a set of common web application security flaws and provides a powerful tool for raising awareness about web application security issues. Produced by a community of security experts from around the world, the OWASP Top 10 represents a broad consensus about the most critical web .