OWASP Top Ten 2017 – the Final List
Open Web Application Security Project (OWASP) is a worldwide not-for-profit charitable organization that provides unbiased, practical information to improve the security of software. Project members include a variety of security experts from around the world who share their knowledge of vulnerabilities, threats, attacks and countermeasures. The OWASP Top 10 is a list of the most critical security risks to web applications, along with effective methods of dealing with them. The list has become a trusted source of information on major threats to web applications ever since the first release back in 2003 and KEMP Technologies have provided analysis of these threats here on our blog.
Proposed changes to the OWASP Top 10 were released to the community for comment in 2017. The comment process led to substantial changes being made in the OWASP Top 10 2017.
The OWASP Top 10 2017 retains six of the existing threat categories from the previous edition, although three of these have moved to different positions on the list. The top two from 2013 remain unchanged, signaling that A1: Injection and A2: Broken Authentication are still the most widespread attacks against web applications.
The other four threats that remain in the OWASP Top 10 2017 are:
- A3 – Sensitive Data Exposure – steps up from threat six
- A6 – Security Misconfiguration – moves down from threat five
- A7 – Cross-Site Scripting – falls from threat three
- A9 – Using Components with Known Vulnerabilities – stays at threat nine
There are three new threat categories on the 2017 list and one merged category that combines two from the previous release.
The 2017 additions and merged threats are:
- New: A4 – XML External Entities (XXE)
- Merged – A5 – Broken Access Control
- New: A8 – Insecure Deserialization
- New A10 – Insufficient Logging & Monitoring
Let’s take a brief look at these four categories. We will be publishing detailed articles in an updated OWASP Top 10 Series soon.
New: A4 – XML External Entities (XXE)
This is a vulnerability found in many older XML processors that allow external identity references within XML documents. These external identity references can be used to access internal files and data using a URI handler embedded in an XML file.
Merged: A5 – Broken Access Control
Many applications don’t enforce access control on application resources after a user session has been authenticated. This can lead to vulnerabilities due to poor configuration, which can lead to data being exposed to users who shouldn’t get access. Internal application checks and verifications should be used for all access to sensitive data, and not the assumption that an authenticated session is allowed access.
New: A8 – Insecure Deserialization
When applications store data they use various methods to serialize a data stream, then write it to files or send it over a network connection. When reading data back, an application deserializes the data coming in to convert it to a format the application needs. Insecure deserialization occurs when an application reads data from an insecure source, or when an attacker has been able to modify an incoming data stream to include malicious code.
New A10 – Insufficient Logging & Monitoring
Many systems are not monitored well enough and as a result attacks and data losses go undetected for prolonged periods of time. This allows attackers to continue to exploit weaknesses in systems, and possibly use undetected flaws in one application to attack others.
The OWASP Top 10 is a good starting point for evaluating and mitigating threats to web applications. The changes to the 2017 edition reflect the currently changing application landscape. The new categories should make developers and security professionals consider how to ensure their applications are adequately protected from the inside out. Remember that the OWASP Top 10 2017 is the current list of the most prevalent threats. There are additional threats that are outside the Top 10 that applications need protection against. Treat it as a starting point, not as a final checklist.
KEMP LoadMaster has built-in protection for many of the threats that web applications face, including those in the OWASP Top 10.