Every three years, the OWASP Top 10 is released, publicizing the most serious web application security vulnerabilities. Formed in 2001, the Open Web Application Security Project is a not-for-profit security organization to “dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted.”
Revised every three years, the OWASP Top 10 is every web application security professional’s go-to for information on the most serious and most common threats that they face. Thus far, this highly regarded list has been published in 2003, 2004, 2007, 2010 and now this year.
“The 3 year cycle has worked well in the past for several reasons, The field does evolve pretty quick but I don’t think the Top 10 Risks substantially change every single year,” OWASP board member Dave Wichers explained in an OWASP newsletter. “It takes a lot of work to produce an update to the Top 10, and so spacing it out balances between the effort to produce and the amount of change you’d see when it’s updated.”
This year, the only new vulnerability in the Top 10 is “Using Known Vulnerable Components.” It has debuted on the list at No. 9, extricated from “Security Misconfiguration,” which it was previously tied to. This threat is due to all of the components of technology that developers use that are built by outside sources. These can include servers, operating systems, toolkits and more. The list details “if a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover.”
To make room for the additional threat OWASP added to the list, two 2010 points were merged: No. 1, Insecure Cryptographic Storage, and No. 9, Insufficient Transport Layer Protection, were merged to No. 6, Sensitive Data Exposure. The new entry points out that “many web applications do not properly protect sensitive data… Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser.”
Although these are the only two new or modified entries, “Broken Authentication and Session Management” was promoted from No. 3 to No. 2, “Security Misconfiguration” was promoted from No. 6 to No. 5, and “Failure to Restrict URL Access” was promoted from No. 8 to No. 7 and also renamed “Missing Function Level Access Control.” “Cross Site Scripting” and “Cross-Site Request Forgery” each dropped in priority (Cross Site Scripting from No. 2 to No. 3 and CSRF from No. 5 to No. 8).
Denial-of-Service attacks were surprisingly omitted from the list despite their rising threat. The issue was debated among the people and groups that drafted the list, and the reason it was left off boiled down to semantics.
Wichers stated, “The OWASP Top 10 is about web applications, not network security. And I know if they DDoS the server and take out an application, then it’s not an application problem, but is there anything the application itself can do about the most common DDOS attacks?”
Are you a web application security professional looking to take the next step in your career? Contact us so we can talk tech and see if we’ve got anything that may be suitable for you. With the high demand for application security specialists, the job market is hot so apply now.