OWASP Top 10 2017 Update

OWASP

The final OWASP Top Ten for 2017 can be found here
 The top 10 list of threats compiled and published by the Open Web Application Security Project (OWASP) have been covered extensively here, including our detailed look at the threats on the list that was published in 2013. The OWASP Top 10 has become a trusted source of information on major threats to web applications ever since the first release back in 2003. The OWASP Foundation is an open global community comprised of commercial, academic, individual experts, and local chapters whose goal is to ensure that developers and administrators of web applications have a trusted and impartial source of advice on threats and protections. There have been four major updates to the OWASP top 10 since the initial release, with approximately 3.5 years between each.

What’s Changed

OWASP is gearing up to issue the latest release of the top 10. This 2017 release updates and builds on the 2013 release. Currently in draft form, and out for review and comment, the new release merges two categories into a single entry and adds two completely new categories.

The changes for 2017 are:

  • A4 – Broken Access Control. Merges the 2013 categories A4 – Insecure Direct Object References and A7 – Missing Function Level Access Control, into a single entry that was on the original 2003 list.
  • A7 – Insufficient Attack Protection. New for 2017 and replaces the old A7 that was merged into the new A4 as outlined above.
  • A10 – Underprotected APIs. This replaces the previous A10 – Unvalidated Redirects and Forwards which has dropped off the top 10.

Let’s take a brief look at the three changed categories. We will be publishing detailed articles about the new categories in the OWASP Top 10 Series over the next few weeks.

A4 – Broken Access Control

This category was in the original 2003 OWASP top 10 but was split out into A4 – Insecure Direct Object References and A7 – Missing Function Level Access Control in the 2007 list. They are being merged again in the 2017 release to make room for the new A10. Both these categories were covered in detail in our OWASP Top 10 Series so we don’t repeat that information here.

A7 – Insufficient Attack Protection

This new entry in the 2017 top 10 highlights the fact that very few applications, frameworks or APIs have built in detection or protections to guard against attacks. There should be built in detections and protections that guard against both manual and automated attacks. They should also go beyond just validating input and requests to more active monitoring of suspicious request types and respond by logging the activity, and in defined circumstances blocking the client making the access requests. Incorporating protection into the application or API means that it can be aware of context. This is not always the case for separate protection mechanisms on the network which may not know the details of how an application should respond.

A10 – Underprotected APIs

Modern applications use APIs from many sources either directly by the developers, or as subcomponents of 3rd party libraries. Examples can be several different JavaScript based libraries to provide functionality for applications, or APIs for XML, SOAP, JSON, RESTful, and RPC use, or frameworks like GWT. These software components can have vulnerabilities, are often unprotected in default configurations, and more worryingly can be opaque to standard security scanning tools that are often used to highlight vulnerabilities.

Conclusion

The OWASP Top 10 is a good starting point for evaluating and mitigating threats to web applications. The changes to the 2017 edition reflect current rapid application development and deployment models that are popular in Agile and DevOps workflows. The new A7 and A10 categories should make developers and security professionals consider how to ensure their applications are adequately protected from the inside out.

Remember that the OWASP top 10 is the current list of the most prevalent threats. There are other threats that are outside the top 10 that must be protected against.

Maurice McMullin

Maurice McMullin

Maurice McMullin is a Principal Product Marketing Manager in Kemp Technologies with too many years of experience in the development and marketing of networking and security products. He has worked in organizations of all sizes ranging from two person startups through to multinationals in roles as varied as programmer and CTO.

More Posts

Follow Me:
Twitter