OWASP is gearing up to issue the latest release of the top 10. This 2017 release updates and builds on the 2013 release. Currently in draft form, and out for review and comment, the new release merges two categories into a single entry and adds two completely new categories.
The changes for 2017 are:
- A4 – Broken Access Control. Merges the 2013 categories A4 – Insecure Direct Object References and A7 – Missing Function Level Access Control, into a single entry that was on the original 2003 list.
- A7 – Insufficient Attack Protection. New for 2017 and replaces the old A7 that was merged into the new A4 as outlined above.
- A10 – Underprotected APIs. This replaces the previous A10 – Unvalidated Redirects and Forwards which has dropped off the top 10.
Let’s take a brief look at the three changed categories. We will be publishing detailed articles about the new categories in the OWASP Top 10 Series over the next few weeks.
A4 – Broken Access Control
This category was in the original 2003 OWASP top 10 but was split out into A4 – Insecure Direct Object References and A7 – Missing Function Level Access Control in the 2007 list. They are being merged again in the 2017 release to make room for the new A10. Both these categories were covered in detail in our OWASP Top 10 Series so we don’t repeat that information here.
A7 – Insufficient Attack Protection
This new entry in the 2017 top 10 highlights the fact that very few applications, frameworks or APIs have built in detection or protections to guard against attacks. There should be built in detections and protections that guard against both manual and automated attacks. They should also go beyond just validating input and requests to more active monitoring of suspicious request types and respond by logging the activity, and in defined circumstances blocking the client making the access requests. Incorporating protection into the application or API means that it can be aware of context. This is not always the case for separate protection mechanisms on the network which may not know the details of how an application should respond.
A10 – Underprotected APIs
The OWASP Top 10 is a good starting point for evaluating and mitigating threats to web applications. The changes to the 2017 edition reflect current rapid application development and deployment models that are popular in Agile and DevOps workflows. The new A7 and A10 categories should make developers and security professionals consider how to ensure their applications are adequately protected from the inside out.
Remember that the OWASP top 10 is the current list of the most prevalent threats. There are other threats that are outside the top 10 that must be protected against.