OWASP Top 10 2021 mitigation options on Google Cloud

Last reviewed 2021-12-12 UTC

This document helps you identify Google Cloud products and mitigation strategies that can help you defend against common application-level attacks that are outlined in OWASP Top 10. OWASP Top 10 is a list by the Open Web Application Security (OWASP) Foundation of the top 10 security risks that every application owner should be aware of. Although no security product can guarantee full protection against these risks, applying these products and services when they make sense in your architecture can contribute to a strong multi-layer security solution.

Google infrastructure is designed to help you build, deploy, and operate services in a secure way. Physical and operational security, data encryption at rest and in transit, and many other important facets of a secure infrastructure are managed by Google. You inherit these benefits by deploying your applications to Google Cloud, but you might need to take additional measures to protect your application against specific attacks.

The mitigation strategies listed in this document are sorted by application security risk and Google Cloud product. Many products play a role in creating a defense-in-depth strategy against web security risks. This document provides information about how other products can mitigate OWASP Top 10 risks, but it provides additional detail about how Google Cloud Armor and Apigee can mitigate a wide range of those risks. Google Cloud Armor, acting as a web application firewall (WAF), and Apigee, acting as an API gateway, can be especially helpful in blocking different kinds of attacks. These products are in the traffic path from the internet and can block external traffic before it reaches your applications in Google Cloud.

Product overviews

The Google Cloud products listed in the following table can help defend against the top 10 security risks:

Product Summary A01 A02 A03 A04 A05 A06 A07 A08 A09 A10
Access Transparency Expand visibility and control over your cloud provider with admin access logs and approval controls
Artifact Registry Centrally stores artifacts and build dependencies
Apigee Design, secure, and scale application programming interfaces
Binary Authorization Ensure only trusted container images are deployed on Google Kubernetes Engine
Google Security Operations Automatically find threats in real time and at scale using Google's infrastructure, detection techniques, and signals
Cloud Asset Inventory View, monitor, and analyze all your Google Cloud and Google Distributed Cloud Virtual or multi-cloud assets across projects and services
Cloud Build Build, test, and deploy in Google Cloud
Sensitive Data Protection Discover, classify, and protect your most sensitive data
Cloud Load Balancing Control which ciphers your SSL proxy or HTTPS load balancer negotiates
Cloud Logging Real-time log management and analysis at scale
Cloud Monitoring Collect and analyze metrics, events, and metadata from Google Cloud services and a wide variety of applications and third-party services
Cloud Source Repositories Store, manage, and track code in a single place for your team
Container Threat Detection Continuously monitor the state of container images, evaluate all changes, and monitor remote access attempts to detect runtime attacks in near-real time
Event Threat Detection Monitor your organization's Cloud Logging stream and detect threats in near-real time
Forseti Inventory Collect and store snapshots of your architecture
Forseti Scanner Scan inventory data according to custom-defined policies and alert on unexpected deviations
Google Cloud Armor A web application firewall (WAF) deployed at the edge of Google's network to help defend against common attack vectors
Google Cloud security bulletins The latest security bulletins related to Google Cloud products
Identity-Aware Proxy (IAP) Use identity and context to guard access to your applications and VMs
Identity Platform Add identity and access management functionality to applications, protect user accounts, and scale identity management
Cloud Key Management Service Manage encryption keys on Google Cloud
reCAPTCHA Help protect your website from fraudulent activity, spam, and abuse
Secret Manager Store API keys, passwords, certificates, and other sensitive data
Security Command Center Centralized visibility for security analytics and threat intelligence to surface vulnerabilities in your applications
Security Health Analytics (SHA) Generate vulnerability findings that are available in Security Command Center
Titan Security Keys Help protect high-value users with phishing-resistant 2FA devices that are built with a hardware chip (with firmware engineered by Google) to verify the integrity of the key
Virtual Private Cloud firewalls Allow or deny connections to or from your virtual machine (VM) instances
VPC Service Controls Isolate resources of multi-tenant Google Cloud services to mitigate data exfiltration risks
VirusTotal Analyze suspicious files and URLs to detect types of malware; automatically share them with the security community
Web Security Scanner Generate vulnerability finding types that are available in Security Command Center

A01: Broken access control

Broken access control refers to access controls that are only partially enforced on the client side, or weakly implemented. Mitigating these controls often requires a rewrite on the application side to properly enforce that resources are accessed only by authorized users.

Apigee

Use case:

  • Access control enforcement
  • Limit data manipulation

Apigee supports a layered approach to implement access controls to keep the bad actors from making unauthorized changes or accessing the system.

Configure role-based access control (RBAC) to only allow users access to the functionality and configuration that they need. Create encrypted key value maps to store sensitive key-value pairs, which appear masked in the Edge UI and in management API calls. Configure single sign-on with your company's identity provider.

Configure developer portals to show specific API products according to user role. Configure the portal to show or hide content based on user role.

Cloud Asset Inventory

Use case:

  • Monitor for unauthorized IT (also known as "shadow IT")
  • Outdated compute instances

One of the most common vectors for data exposure is orphaned or unauthorized IT infrastructure. Set up real-time notifications to alert you for unexpected running resources, which might be improperly secured or using outdated software.

Cloud Load Balancing

Use case:

  • Fine-grained SSL and TLS cipher control

Prevent the use of weak SSL or TLS ciphers by assigning a predefined group or custom list of ciphers that Cloud Load Balancing can use.

Forseti Scanner

Use case:

  • Access control configuration monitoring

Systematically monitor your Google Cloud resources with the goal of ensuring access controls are set as you intended. Create rule-based policies to codify your security stance. If the configuration unexpectedly changes, Forseti Scanner notifies you so that you can automatically revert to a known state.

Google Cloud Armor

Use case:

  • Filter cross-origin requests
  • Filter local or remote file inclusion attacks
  • Filter HTTP parameter pollution attacks

Many cases of broken access control cannot be mitigated by using a web application firewall, because applications don't require or don't properly check access tokens for every request, and data can be manipulated client side. Multiple Juice Shop challenges related to broken access control. For example, posting feedback in another user's name uses the fact that some requests are not authenticated server side. As you can see in the challenge solution, the exploit for this vulnerability is completely client-side and can therefore not be mitigated using Google Cloud Armor.

Some challenges can be partially mitigated server side if the application cannot be immediately patched.

For example, if cross-site request forgery (CSRF) attacks are possible because your web server implements cross-origin resource sharing (CORS) poorly, as demonstrated in the CSRF Juice Shop challenge, you can mitigate this issue by blocking requests from unexpected origins altogether with a custom rule. The following rule matches all requests with origins other than example.com and google.com:

has(request.headers['origin']) &&
!((request.headers['origin'] == 'https://example.com')||
(request.headers['origin'] == 'https://google.com') )

When traffic that matches such a rule is denied, the solution for the CSRF challenge stops working.

The basket manipulation challenge uses HTTP parameter pollution (HPP) so that you can see how to attack the shop by following the challenge solution. HPP is detected as part of the protocol attack rule set. To help block this kind of attack, use the following rule: evaluatePreconfiguredExpr('protocolattack-stable').

Identity-Aware Proxy and Context-Aware Access

Use case:

  • Centralized access control
  • Works with cloud and on-premises
  • Protects HTTP and TCP connections
  • Context-Aware Access

IAP lets you use identity and context to form a secure authentication and authorization wall around your application. Prevent broken authorization or access control to your public-facing application with a centrally managed authentication and authorization system built on Cloud Identity and IAM.

Enforce granular access controls to web applications, VMs, Google Cloud APIs, and Google Workspace applications based on a user's identity and the context of the request without the need for a traditional VPN. Use a single platform for both your cloud and on-premises applications and infrastructure resources.

Security Health Analytics

Use case:

  • MFA or 2FA enforcement
  • API key protection
  • SSL policy monitoring

Prevent broken access control by monitoring for multi-factor authentication compliance, SSL policy, and the health of your API keys.

Web Security Scanner

Use case:

  • Repositories exposed to the public
  • Insecure request header validation

Web Security Scanner scans your web applications for vulnerabilities, such as publicly visible code repositories and misconfigured validation of request headers.

A02: Cryptographic failures

Cryptographic failures can happen due to a lack of encryption or weak encryption in transit, or accidentally exposed sensitive data. Attacks against those vulnerabilities are usually specific to the application and therefore, need a defense-in-depth approach to mitigate.

Apigee

Use case:

  • Protect sensitive data

Use one-way and two-way TLS to guard sensitive information at the protocol level.

Use policies such as Assign Message policy and JavaScript policy to remove sensitive data before it's returned to the client.

Use standard OAuth techniques and consider adding HMAC, hash, state, nonce, PKCE, or other techniques to improve the level of authentication for each request.

Mask sensitive data in the Edge Trace tool.

Encrypt sensitive data at rest in key value maps.

Cloud Asset Inventory

Use case:

  • Search service
  • Access analyzer

One of the most common vectors for data exposure is orphaned or unauthorized IT infrastructure. You can identify servers that nobody is maintaining and buckets with over-broad sharing rules by analyzing the cloud asset time series data.

Set up real-time notifications to alert you to unexpected provisioning of resources which might be improperly secured or unauthorized.

Cloud Data Loss Prevention API (part of Sensitive Data Protection)

Use case:

  • Sensitive data discovery and classification
  • Automatic data masking

The Cloud Data Loss Prevention API (DLP API) lets you scan for any potentially sensitive data stored in buckets or databases to prevent unintended information leakage. If disallowed data is identified, it can be automatically flagged or redacted.

Cloud Key Management Service

Use case:

  • Secure cryptographic key management

(Cloud KMS) helps to prevent potential exposure of your cryptographic keys. Use this cloud-hosted key management service to manage symmetric and asymmetric cryptographic keys for your cloud services the same way that you do on-premises. You can generate, use, rotate, and destroy AES256, RSA 2048, RSA 3072, RSA 4096, EC P256, and EC P384 cryptographic keys.

Cloud Load Balancing

Use case:

  • Fine-grained SSL and TLS cipher control

SSL policies can help prevent sensitive data exposure by giving you control over the SSL and TLS features and ciphers that are allowed in a load balancer. Block unapproved or insecure ciphers as needed.

Google Cloud Armor

Use case:

  • Filter known attack URLs
  • Restrict sensitive endpoint access

In general, sensitive data exposure should be stopped at the source, but because every attack is application specific, web application firewalls can only be used in a limited way to stop data exposure broadly. However, if your application can't be immediately patched, you can restrict access to vulnerable endpoints or request patterns by using Google Cloud Armor custom rules.

For example, several Juice Shop challenges about sensitive data exposure can be exploited due to insecure directory traversal and null byte injection attacks. You can mitigate these injections by checking for the strings in the URL with the following custom expression:

request.path.contains("%00") || request.path.contains("%2500")

You can solve the exposed metrics challenge by accessing the /metrics subdirectory that is used by Prometheus. If you have a sensitive endpoint that is exposed and you can't immediately remove access, you can restrict access to it except for certain IP address ranges. Use a rule similar to the following custom expression:

request.path.contains("/metrics") && !(inIpRange(origin.ip, '1.2.3.4/32')

Replace 1.2.3.4/32 with the IP address range that should have access to the metrics interface.

Accidentally exposed log files are used to solve one of the Juice Shop challenges. To avoid exposing logs, set a rule disallowing access to log files completely: request.path.endsWith(".log").

Identity-Aware Proxy and Context-Aware Access

Use case:

  • Secure remote access to sensitive services
  • Centralized access control
  • Context-Aware Access

Use identity and context to form a secure authentication and authorization perimeter around your application. Deploy tools, such as internal bug reporting, corporate knowledge base, or email behind IAP, in order to allow Context-Aware Access to only authorized individuals from anywhere on the internet.

With Context-Aware Access, you can enforce granular access controls to web applications, virtual machines (VMs), Google Cloud APIs, and Google Workspace applications based on a user's identity and context of the request without a traditional VPN. Based on the zero-trust security model and Google's BeyondCorp implementation, Context-Aware Access lets you provide access for your users, enforce granular controls, and use a single platform for both your cloud and on-premises applications and infrastructure resources.

Secret Manager

Use case:

  • Crypto keys
  • API keys
  • Other system credentials

Secret Manager is a secure storage service for your most valuable data such as API keys, service account passwords, and cryptographic assets. Centrally storing these secrets lets you rely on Google Cloud's authentication and authorization systems, including IAM, to determine whether any given request for access is valid.

Secret Manager isn't designed for massive scale operations such as credit card tokenization or individual user password storage. Such applications should rely on Identity Platform for CIAM, Cloud Identity for members of your organization, or dedicated tokenization software.

Security Health Analytics

Use case:

  • MFA/2FA enforcement
  • API key protection
  • API key rotation enforcement
  • Compute image privacy
  • SSH key rule enforcement
  • Secure boot monitoring
  • API access security
  • SSL policy monitoring
  • Disabled logging
  • Public bucket ACL alerts

Prevent sensitive data exposure by monitoring for multi-factor authentication compliance and the health of your API keys. Get alerts for insecure configurations in container image storage, Cloud Storage, SSL policy, SSH key policy, logging, API access, and more.

VirusTotal

Use case:

  • Phishing prevention

VirusTotal lets you scan URLs for malicious content before presenting them to your users or employees, whether they're found in user input, emails, chat, logs, or other locations.

VPC Service Controls

Use case:

  • Firewall for managed services

Wrap critically managed services in a firewall in order to control who can call the service and who the service can respond to. Block unauthorized egress and data exfiltration with outbound perimeter rules on services such as Cloud Functions. Prevent requests from unauthorized users and locations to managed data stores and databases. Create secure perimeters around powerful or potentially costly APIs.

Web Application Scanner

Use case:

  • Web application security risk scanner
  • Source repository availability scanner

To prevent your web application from exposing sensitive data, ensure that passwords are not sent in clear text. Avoid leaking potentially devastating raw source code by checking for exposed git and Apache Subversion source code repositories. These scans are designed to cover specific OWASP top 10 controls.

Web Security Scanner

Use case:

  • Unencrypted passwords transmitted over the network

Web Security Scanner scans your web applications and reports findings of errors and vulnerabilities. If your application transmits passwords in clear text, Web Security Scanner generates a CLEAR_TEXT_PASSWORD finding.

A03: Injection

Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker's hostile data can trick the interpreter into running unintended commands or accessing data without proper authorization. We recommend that user data is sanitized or filtered by the application before it is sent to an interpreter.

The following sections discuss the Google Cloud products that can help mitigate this risk.

Apigee

Use case:

  • SQL injection blocking
  • NoSQL injection blocking
  • LDAP injection blocking
  • JavaScript injection blocking

Apigee provides several input validation policies to verify that the values provided by a client match your configured expectations before allowing the further processing of the policies or rules. Apigee, acting as a gateway for the incoming API requests, runs a limit check to ensure that the payload structure falls within an acceptable range. You can configure an API proxy so that the input validation routine transforms the input in order to remove risky character sequences, and then replace them with safe values.

There are several approaches to validating input with the Apigee platform:

Container Threat Detection

Use case:

  • Malicious script detection
  • Reverse shell detection
  • Malware installation detection

The Malicious Script Executed detector of Container Threat Detection analyzes every shell script executed on the system and reports ones that look malicious. This provides a vehicle to detect shell command injection attacks. After a successful shell command injection, an attacker can spawn a reverse shell, which triggers the Reverse Shell detector. Alternatively, they can install malware, which triggers the Added Binary Executed and Added Library Loaded detectors.

Google Cloud Armor

Use case:

  • SQL injection filtering
  • PHP injection filtering

Google Cloud Armor can block common injection attacks before they reach your application. For SQL injection (SQLi), Google Cloud Armor has a predefined rule set that is based on the OWASP Modsecurity core rule set. You can build security policies that block common SQLi attacks defined in the core rule set by using the evaluatePreconfiguredExpr('sqli-stable') rule either by itself or in conjunction with other custom rules. For example, you can limit SQLi blocking to specific applications by using a URL path filter.

For PHP injection, another preconfigured rule set exists. You can use the evaluatePreconfiguredExpr('php-stable') rule to block common PHP injection attacks.

Depending on your application, activating the preconfigured expressions might lead to some false positives because some of the rules in the rule set are quite sensitive. For more information, see troubleshooting false positives and how to tune the rule set to different sensitivity levels.

For injection attacks other than those targeting SQL or PHP, you can create custom rules to block requests when specific keywords or escape patterns in those protocols are used in the request path or query. Make sure that these patterns don't appear in valid requests. You can also limit these rules to only be used for specific endpoints or paths that might interpret data passed to them.

Additionally, some injection attacks can be mitigated by using the preconfigured rules for remote code execution and remote file injection.

Web Security Scanner

Use case:

  • Monitoring for cross-site scripting
  • Monitoring for SQL injection

Web Security Scanner scans your web applications for vulnerabilities and provides detectors that monitor for cross-site scripting and SQL injection attacks.

A04: Insecure Design

Insecure design occurs when organizations do not implement the means to evaluate and address threats during the development lifecycle. Threat modeling, when done early in the design and refine phases, and continued throughout the development and testing phases, helps organizations analyze assumptions and failure flaws. A blameless culture of learning from mistakes is key to secure design.

Apigee

Use cases:

  • Input validation
  • Access controls
  • Fault handling
  • Content protection policies
  • Password management

Apigee allows you to validate incoming requests and responses to your application using the OASValidation policy. In addition, to protect access, you can configure single sign-on (SSO), role-based access control (RBAC), limit access to APIs (using Auth0 for example) and restrict which IP addresses have access to your environment. Using fault handling rules, you can customize how the API proxy reacts to errors.

To protect against unsafe passwords for Apigee global users, Apigee provides password expiration, lockout and reset functionality. In addition, you can enable two-factor authentication (2FA).

Cloud Data Loss Prevention API (part of Sensitive Data Protection)

Use case:

  • Identify and redact confidential data

Using the Cloud Data Loss Prevention API, you can identify confidential data and tokenize it. The DLP API can help you limit the exposure of confidential data, because after data has been tokenized and stored, you can set up access controls to restrict who can view the data. For more information, see Automating the classification of data uploaded to Cloud Storage and De-identification and re-identification of PII in large-scale datasets using Sensitive Data Protection.

Secret Manager

Use case:

  • Protect storage of credentials

Secret Manager lets applications and pipelines access the values of named secrets based on permissions granted with IAM. It also provides programmatic access to secrets so automated processes can access secret values. When enabled, every interaction with Secret Manager provides an audit trail. Use these audit trails to assist with forensics and compliance needs.

Web Security Scanner

Use case:

  • Identify security vulnerabilities in your applications.

Web Security Scanner scans your web applications for vulnerabilities. It follows links and attempts to exercise as many user inputs and event handlers as possible. Its CACHEABLE_PASSWORD_INPUT detector generates a finding if passwords entered on the web application can be cached in a regular browser cache instead of a secure password storage.

A05: Security misconfiguration

Security misconfiguration refers to unpatched application flaws, open default accounts, and unprotected files and directories that can typically be prevented with application hardening. Security misconfiguration can happen in many ways, such as trusting default configurations, making partial configurations that might be insecure, letting error messages contain sensitive details, storing data in the cloud without proper security controls, or misconfiguring HTTP headers.

Apigee

Use case:

  • Manage security configurations
  • Monitor security configurations

A shared flow lets API developers combine policies and resources into a reusable group. By capturing reusable functionality in one place, a shared flow helps you ensure consistency, shorten development time, and more easily manage code. You can include a shared flow inside individual API proxies using a FlowCallout policy or you can place shared flows in flow hooks to automatically run shared flow logic for every API proxy deployed in the same environment.

Cloud Asset Inventory

Use case:

  • Real-time notification service

Real-time notifications can alert you to unexpected provisioning of resources that might be improperly secured or unauthorized.

Cloud Load Balancing

Use case:

  • Fine-grained SSL and TLS cipher control

Prevent the usage of known-vulnerable SSL or TLS ciphers by assigning a predefined group or custom list of ciphers usable by a load balancer.

Google Cloud Armor

Use case:

  • Filter insecure endpoints
  • Filter local or remote file inclusion attacks
  • Filter protocol attacks

Because security misconfiguration can happen at the application level, the OWASP Foundation recommends hardening and patching your application directly and removing all unnecessary functionality.

Although a web application firewall (WAF), such as Google Cloud Armor, can't help you fix the underlying misconfiguration, you can block access to parts of the application either fully or for everyone except specific IP addresses or countries. Restricting access can reduce the risk of those misconfigurations being exploited.

For example, if your application exposes an administrative interface using a common URL such as /admin, you can restrict access to this interface even if it is authenticated. You can do this with a deny rule—for example:

request.path.contains("/admin") && !(inIpRange(origin.ip,
'1.2.3.4/32')

Replace 1.2.3.4/32 with the IP address range that should have access to the admin interface.

Some misconfigurations can be partially mitigated by using the predefined local file inclusion (LFI) or remote file inclusion (RFI) rulesets. For example, exploiting the Juice Shop cross-site imaging challenge doesn't succeed when the LFI ruleset is applied. Use the evaluatePreconfiguredExpr('lfi-stable') || evaluatePreconfiguredExpr('rfi-stable') rule to block requests using the LFI and RFI rule sets and tune the rules as necessary. You can verify that the challenge solution no longer succeeds.

Some HTTP attacks can also be mitigated using preconfigured rulesets:

  • To avoid HTTP verb tampering, use the method enforcement rule set (in preview). Use the evaluatePreconfiguredExpr('methodenforcement-stable') rule to disallow HTTP request methods other than the GET, HEAD, POST, and OPTIONS methods
  • To block common attacks against HTTP parsing and proxies, such as HTTP Request Smuggling, HTTP Response Splitting and HTTP Header Injection, use the protocol attack rule set by using the evaluatePreconfiguredExpr('protocolattack-stable') rule.

Security Health Analytics

Use case:

  • Security control monitoring and alerting

Monitor dozens of signals through a single interface to ensure your application is maintaining security best practices.

Web Security Scanner

Use case:

  • Web application scanner tailored for OWASP Top 10
  • HTTP server configuration errors
  • Mixed HTTP/HTTPS content
  • XML external entity (XXE)

Web Security Scanner monitors for common security errors, such as content-type mismatches, invalid security headers, and mixed content serving. Web Security Scanner also monitors for vulnerabilities, like XXE vulnerabilities. These scans are designed to cover the OWASP top 10 controls. The following detectors scan for security misconfigurations:

  • INVALID_CONTENT_TYPE
  • INVALID_HEADER
  • MISMATCHING_SECURITY_HEADER_VALUES
  • MISSPELLED_SECURITY_HEADER_NAME
  • MIXED_CONTENT
  • XXE_REFLECTED_FILE_LEAKAGE

For more information on these and other detectors, see Overview of Web Security Scanner.

A06: Vulnerable and outdated components

Components with known vulnerabilities is a category for generic attack vectors, and such vulnerabilities are best mitigated by monitoring and quickly upgrading all of your application components.

Binary Authorization

Use case:

  • Restrict GKE clusters to trusted containers

Binary Authorization is a deploy-time security control that helps ensure that only trusted container images are deployed on Google Kubernetes Engine (GKE). With Binary Authorization, you can require that images are signed by trusted authorities during the development process and then enforce signature validation when deploying. By enforcing validation, you can be assured that your build-and-release process uses only verified images.

Cloud Load Balancing

Use case:

  • Fine-grained SSL and TLS cipher control

Prevent the use of known-vulnerable SSL or TLS ciphers by assigning a predefined group or custom list of ciphers that Cloud Load Balancing can use.

Container Threat Detection

Use case:

  • Malicious script detection
  • Reverse shell detection
  • Malware installation detection

If an attacker exploits a vulnerable compon