The Open Web Application Security Project (OWASP) presented the final release for the 2017 OWASP Top 10.
The Open Web Application Security Project (OWASP) published the final version of the 2017 OWASP Top 10. In April, the OWASP announced the first release candidate for the 2017 OWASP Top 10, the main novelty was represented by the presence of the following two new vulnerability categories.
“insufficient attack detection and prevention”
The 2017 OWASP Top 10 is based on data from 23 contributors covering more than 114,000 applications. OWASP published on GitHub the data used for its report.
The categories have been selected based on the risk they pose, but what are the application Security Risks?
“Attackers can potentially use many different paths through your application to do harm to your business or organization. Each of these paths represents a risk that may, or may not, be serious enough to warrant attention.” states the OWASP.
“Sometimes these paths are trivial to find and exploit, and sometimes they are extremely difficult. “
The OWASP Top 10 vulnerabilities are injection, broken authentication, sensitive data exposure, XML external entity (XXE), broken access control, security misconfiguration, cross-site scripting (XSS), insecure deserialization, using components with known vulnerabilities, and insufficient logging and monitoring.
The “insufficient attack detection and prevention” results from the merger of the current 4th and 7th items, “Insecure direct object references” and the “Missing Function Level Access Control.”
The categories have been merged into the item “Broken access control” that was dated back in 2004.
The OWASP left the Cross-Site Scripting (XSS) in a separate category, while it removed the Cross-site request forgery (CSRF) because it is addressed by as modern development frameworks. It was found that the CSRF affected less than 5% of applications, meanwhile Unvalidated redirects and forwards has been found in around 8% of apps and for this reason it was removed too.
News entries are XXE, insecure deserialization, and insufficient logging and monitoring, this latter represents a serious problem for many organizations.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.