Securezoo Articles
Article Topics   
By Frank Crast and Andrew Pierce, 12/9/2017


The Open Web Application Security Project (OWASP) released the OWASP Top 10 – 2017 this past month. The new standard includes the ten most critical web application security risks, the first update since the 2013 version.
 

The OWASP Top 10 list has become the “de facto” application security standard to help organizations be aware of the more prevalent web app security risks and develop more secure apps.

An excerpt from OWASP Top 10:

“A primary aim of the OWASP Top 10 is to educate developers, designers, architects, managers, and organizations about the consequences of the most common and most important web application security weaknesses. The Top 10 provides basic techniques to protect against these high risk problem areas, and provides guidance on where to go from here.”

The draft of the latest update was released in April and includes significant feedback from the application security community, to include an industry survey completed by 500 security experts.

The data spans vulnerabilities gathered from hundreds of organizations and over 100,000 real-world applications and APIs, according to OWASP.
 

What has changed in the 2017 vs. 2013 version?

The OWASP Top 10 list has retired or merged several issues as described in Figure A below.

Three new issues were added to this year's list:

The latter two were supported by the application security community.

Also, note that two issues from the 2013 list – Insecure Direct Object References (A4) and Missing Functional Level Access Control (A7) - have merged into Broken Access Control (A5) in the 2017 version.

Cross-site scripting (XSS) moved down from 3rd place in the 2013 version down to 7th place in the latest list.

Injection and Broken Authentication remained in first and second place respectively in both the 2013 and 2017 versions of the OWASP Top 10.

Finally, A8:Cross-site forgery request (CSFR) fell out of the Top 10, mainly due to major improvements in frameworks that now include CSRF defenses and CSRF was only found in 5% of the applications. A10:Unvalidated Redirects and Forwards (A10) also fell out of the Top 10 list. 
 

OWASP Top 10 2017.jpg

 

Although the OWASP Top 10 is an excellent start to improve application security, OWASP also recommends organizations leverage the many OWASP guidelines and resources such as the OWASP Application Security Verification Standard (ASVS) and the OWASP Cheat Sheet Series to help developers and programs improve their application security practices.  
 

Topic: Application Security