OWASP Top 10 Privacy Risks 2021

The speaker presents the top 10 risks to web application security and privacy, and discusses the challenges faced in creating version 2.0 of the list.

• The speaker presents the top 10 risks to web application security and privacy, including injection, broken authentication and session management, cross-site scripting, and security misconfiguration.
• Insufficient data quality is also a privacy concern, as incorrect data can lead to issues such as incorrect credit ratings or package delivery.
• Missing or insufficient session expiration is a commonly overlooked risk that can allow providers to collect data from devices without user knowledge.
• Creating version 2.0 of the list was challenging due to finding volunteers, deciding on which risks to include, and determining the appropriate level of abstraction.
• Translations and countermeasures for version 2.0 are still being worked on, and the speaker encourages spreading awareness and implementing the list in practice.

The speaker discusses the risk of missing or insufficient session expiration, using Facebook as an example. They show a screenshot of all the open sessions they had on Facebook, which were not automatically logged out of. This means that Facebook could collect data from the device without the user's knowledge, and highlights the need for automatic session timeouts or user-configurable options.

Abstract:​“The future is private” said Mark Zuckerberg back in 2019 at Facebook’s developer conference. OWASP is addressing the topic of web application privacy with its Top 10 Privacy Risks Project since 2014. The project covers technological and organizational aspects that focus on real-life privacy risks, not just legal issues. It provides tips on how to implement privacy by design in web applications with the aim of helping developers and web application providers to better understand and improve privacy. In the meanwhile, this OWASP project became best practice for experts all over the world. But new regulations like GDPR and CCPA and a rapidly changing world raise the question in how far the privacy risk landscape has changed since 2014. This led to the decision to update the project back in 2020 and finally more than one year later version 2.0 of the OWASP Top 10 Privacy Risks project has been published. In this session project founder and leader Florian Stahl will present the updated results and show that some well-known topics like web application vulnerabilities remain at the top of the list, but also new issues like “Consent on everything” or “Insufficient Data Quality” made it to the Top 10 Privacy Risks 2021. He also explains countermeasures against these risks and how to really build a private future.​​​