The Open Web Application Security Project (OWASP) just released an update to the ten most critical web application security risks.
Back in 2002 I wrote the first OWASP Top 10 list and it was published in 2003. My idea was that application security needed a document to create awareness about key risks and help companies protect themselves from hackers. Since its inception it has become the most recognized source of application security guidance because it’s straightforward and practical.
OWASP was formed to offer genuinely impartial advice on appsec best practices and to foster the creation of open standards. Its mission is to “make application security visible so that individuals and organizations can make informed decisions about application security risks.” Visibility is key. It creates the pressure for the industry to make improvements.
To me, the 2017 Top 10 reflects the move towards modern, high-speed software development that we’ve seen explode across the industry. While many of the vulnerabilities remain the same, the addition of APIs and attack protection should focus organizations on the key issues for modern software.
|OWASP Top 10 – 2013 (Previous)||OWASP Top 10 – 2017 (PROPOSED)|
|A1 – Injection||A1 – Injection|
|A2 – Broken Authentication and Session Management||A2 – Broken Authentication and Session Management|
|A3 – Cross-Site Scripting (XSS)||A3 – Cross-Site Scripting (XSS)|
|A4 – Insecure Direct Object References Merged w/ A7 into >||A4 – Broken Access Control (Original category in 03/04)|
|A5 – Security Misconfiguration||A5 – Security Misconfiguration|
|A6 – Sensitive Data Exposure||A6 – Sensitive Data Exposure|
|A7 – Missing Function Level Access Control - Merged with A4||A7 – Insufficient Attack Protection (NEW)|
|A8 – Cross-Site Request Forgery (CSRF)||A8 – Cross-Site Request Forgery (CSRF)|
|A9 – Using Known Vulnerable Components||A9 – Using Known Vulnerable Component|
|A10 – Unvalidated Redirects and Forwards - Dropped||A10 – Underprotected APIs (NEW)|
We have added and removed a few items over the years, but this year’s list is very similar to what we released in 2003. Two major additions where added to the Top 10: A7: Insufficient Attack Protection and A10: Underprotected APIs. To make space for these new items, two access control related items were merged back into “A4: Broken Access Control.” Also, the old “A10: Unvalidated Redirects and Forwards” was dropped off the list as its severity and prevalence didn’t justify keeping it.
The Two New Vulnerabilities: Insufficient Attack Protection & Underprotected APIs
A7: Insufficient Attack Protection. This new requirement means that applications need to detect, prevent, and respond to both manual and automated attacks. No longer will attackers be prompted with “Invalid input, please try again.” Instead, anyone attempting attacks will have their attempts blocked and their account flagged. Web application firewalls have been ineffective at blocking application attacks because they have no context for what they are protecting. Contrast Protect effectively blocks attacks by injecting the protection directly into the application where it can take advantage of the full application context.
What's Next for Application Security Testing
A new section called "What's Next for Application Security Testing" has been added and appears at the end of the 2017 OWASP Top 10. One of the key takeaways here is the need for every organization to “Establish Continuous Application Security Testing.”
As the application security industry changes and evolves, it has gone through a transition; some have even called it the “industrial revolution” of our profession. The only way to succeed in application security is to use a process that continuously: (1) evaluates new threats; (2) establishes defenses; and (3) monitors those defenses to make sure they are working.
A lot has changed since 2002 but unfortunately application security is allocated a very small portion of budget. And, for all the advances we’ve made at OWASP, application security isn’t part of every software project. We still have our work cut out for us.
The good news is Contrast Security closely monitors the vulnerabilities in the OWASP Top 10, and can address most items out-of-box, or by creating custom rules. I believe in the future all software will be instrumented for security all of the time and therefore will automatically protect itself against attacks.