Overview: Identification and Authentication Failures

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
2 hours 16 minutes
Difficulty
Intermediate
CEU/CPE
3
Video Transcription
00:00
>> Let's look at Number 7 of the OWASP Top 10 2021,
00:00
identification and authentication failures.
00:00
Our learning objectives here are to
00:00
describe the changes from
00:00
OWASP Top 10 2017-2021,
00:00
and then explain the CW ease that make up
00:00
identification and authentication failures.
00:00
If this sounds like a new category, it actually isn't.
00:00
This used to be broken authentication
00:00
in 2017 and has been
00:00
renamed because it now includes
00:00
identification failures into
00:00
identification authentication failures.
00:00
A mouthful moved from all the way down from Number 2,
00:00
from broken authentication to Number 7.
00:00
It previously only had two CWEs mapped to it.
00:00
Of course in 2017 they won a whole lot of CWEs.
00:00
Now there is a whole lot more CWEs in 2021.
00:00
Now it went from two to 22, a big leap there.
00:00
What are the factors here?
00:00
Again, 22 CWEs are mapped to this category.
00:00
The max incident rate is not too high,
00:00
but almost 15 percent.
00:00
The average incident rate is not high as
00:00
well, about 2.5 percent.
00:00
The weighted exploitability is high here at
00:00
7.4 and the impact is 6.5,
00:00
so a pretty high exploitability and impact here.
00:00
As you can see, the total occurrences are 132,195,
00:00
and there are a total of 3,897 CVEs.
00:00
Again, specific to a piece of software or application
00:00
mapped to our overarching categories in that the 22 CWEs.
00:00
Let's take a look at the CWEs.
00:00
The highlighted one here
00:00
is improper authentication was one of the
00:00
two from 2017 and broken authentication.
00:00
As you can see here, we have things
00:00
like credential management errors,
00:00
use of hard-coded passwords,
00:00
authentication bypass using an alternate path or
00:00
channel authentication bypass by spoofing.
00:00
You can see these are similar.
00:00
Authentication bypass by spoofing
00:00
and then authentication bypass by capture replay.
00:00
You can see they're numerically one after the other,
00:00
chronological from 294 to 295 to 297.
00:00
OWASP is lumped all of these similar things
00:00
into this category Number 7.
00:00
You can see here we're going to round out the rest of
00:00
the 22 session fixation was one of the two from 2017,
00:00
but we have a whole lot more here.
00:00
Use of Hartford coded credentials.
00:00
In the previous slide we had use of hard-coded passwords.
00:00
Again, slight variations but the same general category.
00:00
We've explained why
00:00
identification authentication failures
00:00
went from Number 2 at
00:00
Broken Authentication to Numbers
00:00
7 in 2021 and identification authentication failures.
00:00
We've described the CWEs that make
00:00
up identification authentication failures.
00:00
Next, we're going to talk about some
00:00
specific ones I think
00:00
that you should know about like
00:00
default passwords and credential stuffing,
00:00
so hang on for the next lesson.
Up Next
Scenario: The Colonial Pipeline Hack
10m
Lab: Identification and Authentication Failures
45m