Skip to content

Two New Vulnerabilities added to the OWASP Top 10


The Open Web Application Security Project (OWASP) just released an update to the ten most critical web application security risks.

Back in 2002 I wrote the first OWASP Top 10 list and it was published in 2003. My idea was that application security needed a document to create awareness about key risks and help companies protect themselves from hackers.  Since its inception it has become the most recognized source of application security guidance because it’s straightforward and practical. 

OWASP was formed to offer genuinely impartial advice on appsec best practices and to foster the creation of open standards. Its mission is to “make application security visible so that individuals and organizations can make informed decisions about application security risks.” Visibility is key. It creates the pressure for the industry to make improvements.

To me, the 2017 Top 10 reflects the move towards modern, high-speed software development that we’ve seen explode across the industry. While many of the vulnerabilities remain the same, the addition of APIs and attack protection should focus organizations on the key issues for modern software.

OWASP Top 10 – 2013 (Previous) OWASP Top 10 – 2017 (PROPOSED)
A1 – Injection A1 – Injection
A2 – Broken Authentication and Session Management A2 – Broken Authentication and Session Management
A3 – Cross-Site Scripting (XSS) A3 – Cross-Site Scripting (XSS)
A4 – Insecure Direct Object References Merged w/ A7 into > A4 – Broken Access Control (Original category in 03/04)
A5 – Security Misconfiguration A5 – Security Misconfiguration
A6 – Sensitive Data Exposure A6 – Sensitive Data Exposure
A7 – Missing Function Level Access Control - Merged with A4 A7 – Insufficient Attack Protection (NEW)
A8 – Cross-Site Request Forgery (CSRF) A8 – Cross-Site Request Forgery (CSRF)
A9 – Using Known Vulnerable Components A9 – Using Known Vulnerable Component
A10 – Unvalidated Redirects and Forwards - Dropped A10 – Underprotected APIs (NEW)


We have added and removed a few items over the years, but this year’s list is very similar to what we released in 2003. Two major additions where added to the Top 10: A7: Insufficient Attack Protection and A10: Underprotected APIs. To make space for these new items, two access control related items were merged back into “A4: Broken Access Control.” Also, the old “A10: Unvalidated Redirects and Forwards” was dropped off the list as its severity and prevalence didn’t justify keeping it. 

The Two New Vulnerabilities: Insufficient Attack Protection & Underprotected APIs

A7: Insufficient Attack Protection. This new requirement means that applications need to detect, prevent, and respond to both manual and automated attacks. No longer will attackers be prompted with “Invalid input, please try again.” Instead, anyone attempting attacks will have their attempts blocked and their account flagged. Web application firewalls have been ineffective at blocking application attacks because they have no context for what they are protecting. Contrast Protect effectively blocks attacks by injecting the protection directly into the application where it can take advantage of the full application context.

A10: Underprotected APIs.  The use of APIs has exploded in modern software, to the point that even browser web applications are often written in Javascript and use APIs to get data. There is a huge variety of protocols and data formats used by these APIs, including SOAP/XML, REST/JSON, RPC, GWT, and many more. The complexity of these APIs makes them difficult for other tools to analyze and protect. This leads to a false sense of APIs security in many companies as their tools simply can't see either vulnerabilities or attacks. However, Contrast Assess’ instrumentation-based approach works perfectly to detect vulnerabilities in APIs quickly and accurately.  Similarly, Contrast Protect provides full Runtime Application Self-Protection (RASP) capabilities for APIs as well.

What's Next for Application Security Testing

A new section called "What's Next for Application Security Testing"  has been added and appears at the end of the 2017 OWASP Top 10. One of the key takeaways here is the need for every organization to “Establish Continuous Application Security Testing.”

As the application security industry changes and evolves, it has gone through a transition; some have even called it the “industrial revolution” of our profession. The only way to succeed in application security is to use a process that continuously: (1) evaluates new threats; (2) establishes defenses; and (3) monitors those defenses to make sure they are working.

A lot has changed since 2002 but unfortunately application security is allocated a very small portion of budget.  And, for all the advances we’ve made at OWASP, application security isn’t part of every software project. We still have our work cut out for us.

The good news is Contrast Security closely monitors the vulnerabilities in the OWASP Top 10, and can address most items out-of-box, or by creating custom rules. I believe in the future all software will be instrumented for security all of the time and therefore will automatically protect itself against attacks.


Jeff Williams
| Co-founder and CTO
Contrast Security
888.371.1333 | @planetlevel @contrastsec


Jeff Williams, Co-Founder, Chief Technology Officer

Jeff Williams, Co-Founder, Chief Technology Officer

Jeff brings more than 20 years of security leadership experience as co-founder and Chief Technology Officer of Contrast Security. He recently authored the DZone DevSecOps, IAST, and RASP refcards and speaks frequently at conferences including JavaOne (Java Rockstar), BlackHat, QCon, RSA, OWASP, Velocity, and PivotalOne. Jeff is also a founder and major contributor to OWASP, where he served as Global Chairman for 9 years, and created the OWASP Top 10, OWASP Enterprise Security API, OWASP Application Security Verification Standard, XSS Prevention Cheat Sheet, and many more popular open source projects. Jeff has a BA from Virginia, an MA from George Mason, and a JD from Georgetown.