OWASP TOP 10 – 2017 Released After Four years | Open Web Application Security Project






The Open Web Application Security Project (OWASP) officially released its Top 10 most critical web application security risks. This is the first time the organization has updated the Top 10 since 2013.

“Change has accelerated over the last four years, and the OWASP Top 10 needed to change. We’ve completely refactored the OWASP Top 10, revamped the methodology, utilized a new data call process, worked with the community, re-ordered our risks, rewritten each risk from the ground up, and added references to frameworks and languages that are now commonly used,” the OWASP wrote in the Top 10 2017.

According to the OWASP, some significant changes over the past couple of years that resulted in an update to the Top 10 include micro-services, single page apps, and the dominance of JavaScript as a primary language on the web.



What are the Changes
In 2017 SQL injection stays at the top followed by Broken Authentication. Insecure Direct Object References and Missing Function Level Access Controls merged to A5:2017-Broken Access Control.

Cross-Site Scripting moved from A3:2013 to A7:2017 and Security Misconfiguration from A5:2013 to A6:2017.


Sensitive Data Exposure goes way up from A6:2013 to A3:2017 shows the impacts of recent data exposures.Using Components with Known Vulnerabilities retains the same position A9:2017-Using Components with Known Vulnerabilities.
New Additions – OWASP

A4:2017-XML External Entities (XXE) is a new category primarily supported by source code analysis security testing tools (SAST) data sets.

A8:2017-Insecure Deserialization, which permits remote code execution or sensitive object manipulation on affected platforms.



A10:2017-Insufficient Logging and Monitoring, the lack of which can prevent or significantly delay malicious activity and breach detection, incident response, and digital forensics.






The new or heavily updated risks need little explanation:

  • We cover API as well as web apps throughout the entire Top 10. This covers mobile, single page apps, RESTful API and traditional web apps. 
  • A3:2017 Sensitive Data Exposure is now firmly about privacy and PII breaches, and not stack traces or headers.
  • A4:2017 XXE is a new data supported item, and so tools and testers need to learn how to find and test for XXE, and developers and devops need to understand how to fix it.
  • A6:2017 Misconfiguration now encompasses cloud security issues, such as open buckets.
  • A8:2017 Deserialization is a critical issue, asked for by the community. It's time to learn how to find this in tools, and for testers to understand what Java and PHP (and other serialization) looks like so it can be fixed.
  • A10:2017 Insufficient Logging and Monitoring. Many folks think this is a missing control, rather than a weakness, but as it was selected by the community, and whilst organizations still take over half a year to detect a breach - usually from external notification - we have to fix this. The way to go forward here for testers is to ask the organization if they detected whatever activity was undertaken, and if they would have responded to it without being prompted. Obviously, we are looking for testing to be undertaken through security devices, but whitelisted, so that logging, escalation and incident response can also be assessed.

Comments

  1. jonathan24 February 2018 at 07:04

    Wow... This post good comparison of top ten OWASP for 2013 and 2017. I found this information very useful. Thanks for sharing.

    ReplyDelete
  2. Danny Cooper30 January 2022 at 20:55

    Very Informative and creative contents. This concept is a good way to enhance the knowledge.thanks for sharing. Continue to share your knowledge through articles like these, and keep posting on

    Data Engineering Solutions 

    AI Solutions

    Data Analytics Services

    Business Intelligence Solutions

    ReplyDelete

Post a Comment

Popular posts from this blog

Source Code Review

Image
Introduction Source Code review is a process which discovers hidden vulnerabilities, design flaws, and verifies if key security controls are implemented. Code review helps developers learn the code base, as well as help them learn new technologies and techniques that grow their skill sets. In source code review we are using a combination of scanning tools and manual review to detect insecure coding practices, backdoor, injection flaws, cross site scripting errors, insecure handling of resources, weak cryptography etc. Many claims that this process is time consuming and too costly, but there is no doubt that this process is the fastest and most accurate way to find and diagnose many problems, mostly your code is the base from hackers are taking advantage. There are dozens of security problems that simply can’t be found any other way. A source code review is also the best way to detect intentional or accidental backdoors and logic bombs in applications that you acquire from thi
Read more

Cyber Security and DFIR Interview Questions

Cyber Security is an exotic field, and every next person wants to explore this domain and make a career in it, but the problem is they have no idea how to get in and even if they do, They don't have any idea on what type of questions they might face in an interview. Recently  @Miss_Malware  asked for everyone's favorites security analyst and DFIR interview question that gave me an idea to compile a list of questions which are asked in every interview one way or another. What follows is a list of questions which you may face in an interview. Note: All These questions have compiled with the help of @Miss_Malware's twitter thread, contribution from friends and very intelligent internet searches :P, All the relevant sources (Read those I remember) have been mentioned at end of the post. GENERAL What is DNS? Differentiate between TCP and UDP? How does HTTP handle state? Does TLS use symmetric or asymmetric encryption? What is "Risk"? What is "Risk
Read more