Skip to content

Two Years After the Release of the 2017 OWASP Top Ten, Limited Improvements Shown

By Contrast Marketing

October 30, 2019

Security AppSec

% of applications affected by OWASP TOP 10

Contrast Labs finds that 71% of applications have at least one OWASP Top Ten vulnerability when onboarded to Contrast Assess.

Contrast Assess works by infusing software with vulnerability assessment capabilities so that security flaws are automatically identified. The vulnerabilities reported here were found within thousands of real world applications during their first month monitored by Assess, reported from inside the applications as Contrast agents continuously analyzed code in realtime.

When the same research was conducted two years ago, 80% of applications possessed at least one of these vulnerabilities. This dip in vulnerabilities represents the growing focus on security across organizations and the shift to teams embedding security across the SLDC, starting with within the application team themselves. However, it also highlights the continued need to improve the way we practice security. 

OWASP Top Ten Most Rampant Vulnerabilities

% of applications affected by Broken Access Control


#5 Broken Access Control - affects 18% of applications

Broken Access Control combined two previous OWASP Top 10 from the 2013 list: Insecure Direct Object References and Missing Function Level Access Control. Together, this category represents flaws and gaps that allow an attacker to act as users or administrators of the application.

% of applications affected by Injection

#4 Injection - affects 25% of applications

Injection vulnerabilities allow malicious inputs into an application. They lead to 4 out of the top 10 most prevalent attack types: OGNL, Expression Language, Command, and SQL injections. During an injection attack, untrusted inputs, or unauthorized code are “injected” into a program, which are then interpreted as part of a query or command.

% of applications affected by Broken Auth

#3 Broken Authentication - affects 33% of applications

In 2017, this vulnerability affected 41% of applications. Due to poor design and implementation of most identity and access controls, the prevalence of broken authentication is widespread.

% of applications affected by Security Misconfiguration

#2 Security Misconfiguration - affects 36% of applications

Security Misconfiguration can happen when there is a failure to implement all of the security controls securely for an application. It can happen at any level of an application stack including the platform, web server, application server, database, framework, and custom code. It currently affects the same proportion of applications as it did in 2017.

% of applications affected by Sensitive Data Exposure

#1 Sensitive Data Exposure - affects 65% of application

The top vulnerability in 2017 (affecting 69% of applications) remains the most rampant in 2019. The importance of encrypting both web traffic and sensitive data in storage cannot be underestimated. This vulnerability is limited to flaws that put sensitive data at risk of being exposed or stolen. The potential impact of a hacker accessing this information is massive. Development teams should focus on creating a unified strategy to identify sensitive data and encrypt it wherever it goes.


OWASP Top Ten Vulnerabilities By Application Language

To dissect the trends further, Contrast Labs compared the OWASP top 10 vulnerabilities across two of the most popular web application development languages. There was minimal movement in these metrics over the last two years. 

% of applications affected by OWASP TOP 10

The definition of insanity is doing the same thing over and over again and expecting different results. None of the vulnerabilities above are new. We must enable everyone across the software lifecycle to perform security testing within their normal workflow. By identifying and reporting results in real-time, Contrast Assess provides accurate results to everyone, empowering each person responsible for the app to be responsible for its security as well. 

Contrast Marketing

Contrast Marketing