The OWASP Top 10 - 2017 reflects a move towards modern, high-speed software development that we’ve seen explode across the industry since the last version of the Top 10 in 2013.
While many of the vulnerabilities remain the same, the addition of APIs and attack protection should focus organizations on the key issues for modern software and the importance of real-time application security protection solutions.
IN THE NEWS....
SD Times, by Madison Moore
The Open Web Application Security Project (OWASP) released its Top 10 2017 project for public comment. This is the 14th year OWASP is raising awareness of security risks with its list, and it contains two major vulnerability updates, example attack scenarios, and a list of free and open resources for security-conscious developers.
When Jeff Williams, OWASP Top 10 project creator and coauthor, first wrote the OWASP Top Ten, he said the application security industry was “shrouded in darkness.” There were only a few individuals who gained knowledge through hand-to-hand combat with applications, and these individuals recognized that they had to make this information public.
“For all the advances we’ve made at OWASP, application security isn’t part of every software project, it’s not taught regularly in university, and it’s often not viewed well by development projects,” said Williams. “In fact, based on the OWASP T10 data we just collected, the average number of serious vulnerabilities per application is a stunning 20.5. That’s an insane number that just shows how far we have to go.”
Click here to read the full article, "OWASP adds unprotected APIs, insufficient attack protection to Top Ten 2017 release" from SD Times.
Also, in the news...
Dark Reading, by Ericka Chickowski
After a four-year hiatus, OWASP this week released a working draft of the latest iteration of its OWASP Top 10 vulnerabilities list.
Security leaders welcome some vital changes to the list - namely the addition of application programming interfaces (APIs) - that acknowledge shifts in the development and threat landscape, with hopes that these types of changes would be made more frequently in the future. Others note that in many ways the list looks very similar to previous incarnations. And some say that's a testament to the need for developer practices-- not the list itself--to more rapidly evolve.
Dzone, 4/12, Tom Smith
The threat landscape for applications and APIs constantly changes. Key factors in this evolution are the rapid adoption of new technologies (including cloud, containers, and APIs), the acceleration and automation of software development processes like Agile and DevOps, the explosion of third-party libraries and frameworks, and advances made by attackers. These factors frequently make applications and APIs more difficult to analyze, and can significantly change the threat landscape. To keep pace, we periodically update the OWASP Top 10.
According to Jeff Williams, the original author of the OWASP Top 10 and CTO and founder of Contrast Security, “We have added and removed a few items over the years, but this year’s list is very similar to what we released in 2003. Some that have been cut from the list such as ‘Application Denial of Service’ and ‘Unchecked Redirects and Forwards’ are still issues but aren’t nearly as common or impactful as they once were. Others have been combined, like ‘Insecure Direct Object References’ and ‘Missing Function Level Access Control’ into a single ‘Broken Access Control.’ Also, the old ‘Unvalidated Redirects and Forwards’ fell off the list due to its diminishing severity and prevalence."