The Open Web Application Security Project (OWASP) released the OWASP Top 10 – 2017 this past month. The new standard includes the ten most critical web application security risks, the first update since the 2013 version.
The OWASP Top 10 list has become the “de facto” application security standard to help organizations be aware of the more prevalent web app security risks and develop more secure apps.
An excerpt from OWASP Top 10:
“A primary aim of the OWASP Top 10 is to educate developers, designers, architects, managers, and organizations about the consequences of the most common and most important web application security weaknesses. The Top 10 provides basic techniques to protect against these high risk problem areas, and provides guidance on where to go from here.”
The draft of the latest update was released in April and includes significant feedback from the application security community, to include an industry survey completed by 500 security experts.
The data spans vulnerabilities gathered from hundreds of organizations and over 100,000 real-world applications and APIs, according to OWASP.
What has changed in the 2017 vs. 2013 version?
The OWASP Top 10 list has retired or merged several issues as described in Figure A below.
Three new issues were added to this year’s list:
- A4:2017-XML External Entities (XXE) – “Is a new category primarily supported by source code analysis security testing tools (SAST) data sets.”
- A8:2017-Insecure Deserialization – “Which permits remote code execution or sensitive object manipulation on affected platforms.”
- A10:2017-Insufficient Logging and Monitoring – “The lack of which can prevent or significantly delay malicious activity and breach detection, incident response, and digital forensics.”
The latter two were supported by the application security community.
Also, note that two issues from the 2013 list – Insecure Direct Object References (A4) and Missing Functional Level Access Control (A7) – have merged into Broken Access Control (A5) in the 2017 version.
Cross-site scripting (XSS) moved down from 3rd place in the 2013 version down to 7th place in the latest list.
Injection and Broken Authentication remained in first and second place respectively in both the 2013 and 2017 versions of the OWASP Top 10.
Finally, A8:Cross-site forgery request (CSFR) fell out of the Top 10, mainly due to major improvements in frameworks that now include CSRF defenses and CSRF was only found in 5% of the applications. A10:Unvalidated Redirects and Forwards (A10) also fell out of the Top 10 list.