The Open Web Application Security Project (OWASP) released its Top 10 2017 project for public comment. This is the 14th year OWASP is raising awareness of security risks with its list, and it contains two major vulnerability updates, example attack scenarios, and a list of free and open resources for security-conscious developers.
When Jeff Williams, OWASP Top 10 project creator and coauthor, first wrote the OWASP Top Ten, he said the application security industry was “shrouded in darkness.” There were only a few individuals who gained knowledge through hand-to-hand combat with applications, and these individuals recognized that they had to make this information public.
“For all the advances we’ve made at OWASP, application security isn’t part of every software project, it’s not taught regularly in university, and it’s often not viewed well by development projects,” said Williams. “In fact, based on the OWASP T10 data we just collected, the average number of serious vulnerabilities per application is a stunning 20.5. That’s an insane number that just shows how far we have to go.”
The OWASP Top 10 2017 release is based on the analysis of over 2.3 million vulnerabilities across 50,000 applications, and it follows the 2013 updates, said Williams. The two major additions to the T10-2017 release includes Insufficient Attack Protection, since one of the most basic security capabilities is being able to detect, prevent, and respond to manual and automated attacks, said Williams. Given the threats applications face, every modern application should have the ability to block these attacks, so they can dramatically improve the ability to defend against both manual and automated attackers, he said.
The next major addition is Underprotected APIs, since the use of APIs has exploded in modern software, said Williams. There are a variety of protocols and data formats used by these APIs, including SOAP/XML, REST/JSON, RPC, GWT, and others. It’s important to note that these APIs are often unprotected, and they contain numerous vulnerabilities, said Williams. He also added that these APIs represent a “major blind spot” for security programs in organizations, and OWASP is helping to refocus teams on this expanding problem.
