Two Years After the Release of the 2017 OWASP Top Ten, Limited Improvements Shown
Contrast Labs finds that 71% of applications have at least one OWASP Top Ten vulnerability when onboarded to Contrast Assess.
Contrast Assess works by infusing software with vulnerability assessment capabilities so that security flaws are automatically identified. The vulnerabilities reported here were found within thousands of real world applications during their first month monitored by Assess, reported from inside the applications as Contrast agents continuously analyzed code in realtime.
When the same research was conducted two years ago, 80% of applications possessed at least one of these vulnerabilities. This dip in vulnerabilities represents the growing focus on security across organizations and the shift to teams embedding security across the SLDC, starting with within the application team themselves. However, it also highlights the continued need to improve the way we practice security.
OWASP Top Ten Most Rampant Vulnerabilities
|
#5 Broken Access Control - affects 18% of applications Broken Access Control combined two previous OWASP Top 10 from the 2013 list: Insecure Direct Object References and Missing Function Level Access Control. Together, this category represents flaws and gaps that allow an attacker to act as users or administrators of the application. |
 |
#4 Injection - affects 25% of applications Injection vulnerabilities allow malicious inputs into an application. They lead to 4 out of the top 10 most prevalent attack types: OGNL, Expression Language, Command, and SQL injections. During an injection attack, untrusted inputs, or unauthorized code are “injected” into a program, which are then interpreted as part of a query or command. |
 |
#3 Broken Authentication - affects 33% of applications In 2017, this vulnerability affected 41% of applications. Due to poor design and implementation of most identity and access controls, the prevalence of broken authentication is widespread. |
 |
#2 Security Misconfiguration - affects 36% of applications Security Misconfiguration can happen when there is a failure to implement all of the security controls securely for an application. It can happen at any level of an application stack including the platform, web server, application server, database, framework, and custom code. It currently affects the same proportion of applications as it did in 2017. |
 |
#1 Sensitive Data Exposure - affects 65% of application The top vulnerability in 2017 (affecting 69% of applications) remains the most rampant in 2019. The importance of encrypting both web traffic and sensitive data in storage cannot be underestimated. This vulnerability is limited to flaws that put sensitive data at risk of being exposed or stolen. The potential impact of a hacker accessing this information is massive. Development teams should focus on creating a unified strategy to identify sensitive data and encrypt it wherever it goes. |
OWASP Top Ten Vulnerabilities By Application Language
To dissect the trends further, Contrast Labs compared the OWASP top 10 vulnerabilities across two of the most popular web application development languages. There was minimal movement in these metrics over the last two years.
The definition of insanity is doing the same thing over and over again and expecting different results. None of the vulnerabilities above are new. We must enable everyone across the software lifecycle to perform security testing within their normal workflow. By identifying and reporting results in real-time, Contrast Assess provides accurate results to everyone, empowering each person responsible for the app to be responsible for its security as well.
Katharine Watson, Sr. Data Analyst and Data Scientist
Katharine brings a wide range of analyst experience to Contrast. She has a history of devouring large data sets to discover knowledge and produce compelling narratives for a wide range of audiences. She is focused on using data to help tell Contrast’s story. Before joining the Contrast team, Katharine worked as an analyst, consultant, and project manager in both the private and non-profit sectors.
Loving our content? Subscribe now!
Get the latest application security news, trends, tips and insights content from Contrast directly to your inbox. By subscribing, you will stay up to date with all the latest and greatest from Contrast Security.