Application Security
4/11/2017
05:55 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
100%
0%

OWASP Top 10 Update: Long Overdue Or Same-Old, Same-Old?

The industry benchmark list is about to change for the first time in four years, but barring a few important changes, it looks a lot like it always has.

After a four-year hiatus, OWASP this week released a working draft of the latest iteration of its OWASP Top 10 vulnerabilities list.

Security leaders welcome some vital changes to the list - namely the addition of application programming interfaces (APIs) - that acknowledge shifts in the development and threat landscape, with hopes that these types of changes would be made more frequently in the future. Others note that in many ways the list looks very similar to previous incarnations. And some say that's a testament to the need for developer practices-- not the list itself--to more rapidly evolve.

A staple benchmark of the application security world, the OWASP Top 10 was designed to help developers avoid common coding bugs and provide security teams some standards for prioritizing vulnerability mitigation. It often sets the tone for enterprise application security program priorities and is also found at the root of many vulnerability testing product-scoring mechanisms and prioritization algorithms. 

"To me, the 2017 Top 10 reflects the move towards modern, high-speed software development that we've seen explode across the industry since the last version of the Top 10 in 2013," says Jeff Williams, CTO of Contrast Security and one of the key authors of the list since it was first developed in 2003. "While many of the vulnerabilities remain the same, the addition of APIs and attack protection should focus organizations on the key issues for modern software."

According to Kunal Anand, CTO and co-founder of Prevoty, the inclusion of APIs is probably the most meaningful change in this go-around. It's an important addition that addresses the way enterprises operates in this day and age of microservices-enabled DevOps and Agile shops.

"Enterprises across many industries, including finance and retail, are deconstructing large monolithic applications into smaller leaner services and micro-services. It's common for an average application to make dozens of API calls to render a single page, with many of the calls distributed across different services," he says. "APIs are ultimately applications, albeit more focused. In 2016, we started to see very targeted attacks against API frameworks. I suspect we'll see a continuation of that in 2017."

This new addition could potentially help raise more awareness about API security, which is largely ignored at most organizations today, says Ryan O'Leary, vice president of WhiteHat Security's Threat Research Center.

"This is a great change and really speaks to the changing dynamic of how we develop applications and build them for modern consumption," he says.

Having said that, both Anand and O'Leary believe that the Top 10 list isn't evolving quickly enough to keep up with the pace of change in how software is delivered and in threat patterns.

"I'd like to see an increased cadence when it comes to updating the OWASP Top 10. The Internet, and more specifically applications, looked a lot different in 2013. In our industry, it's possible to see big changes in just a couple of years," says Anand, who sees trends like serverless-based technologies, containerization and mobile development frameworks like React all changing the game to the point where they'll need to be addressed in the near future. "I hope we can update OWASP to cover these large trends and changes more frequently.”

To be fair, though, in many ways the major problems in applications have remained fairly static over the last 14 years.

"We have added and removed a few items over the years, but this year’s list is very similar to what we released in 2003," says Williams.

In a lot of ways, the OWASP Top 10 pretty well illustrates appsec's prevailing trend of the more things change, the more they stay the same, says Ben Tomhave, principal security scientist for New Context Services.

"There's no point in producing a new list every year, because - as demonstrated by the high degree of similarity between recent versions - things simply don't change that quickly," he says. "The strong similarities between the 2017 Top 10 list and previous iterations suggests that current approaches to developer awareness and education aren't working. We clearly have as long way to go, and likely need to change tactics to achieve better outcomes."

And, in fact, one of the other changes that was made this time around kind of acknowledges that, O'Leary says.

"OWASP is now stating that companies need to have some sort of WAF or RASP technology to detect, respond, and patch. This is going to be a controversial one as it's a mitigation to a vulnerability and not a vulnerability in itself," he says. "The OWASP list has typically been focused around vulnerabilities and how to fix or protect against those threats. With this change OWASP is now saying that a 3rd party service or tool is needed. This is likely a result of how slow the industry is to fix vulnerabilities."

He believes the new inclusion will be a hot button topic for a long time to come.

Related Content:

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
johannacuriel
50%
50%
johannacuriel,
User Rank: Apprentice
5/14/2017 | 6:53:40 AM
Is not OWASP
"OWASP is now stating that companies need to have some sort of WAF or RASP technology to detect, respond, and patch. This is going to be a controversial one as it's a mitigation to a vulnerability and not a vulnerability in itself,"

This statement is wrong.

Please, is not OWASP as foundation saying this. Project leaders are autonomous on deciding how to manage their projects, OWASP a foundation only supervises that Project leaders behave within a code of conduct and guidelines.

OWASP is a community and stands for OPEN  therefore if you do not agree with something JOIN US and come discuss it. You have as a contributor all the power to influence the outcome of every single project and the Top 10 is one of them

Join the discussion and the list, even better , come to the OWASP SUMMIT 2017 in London 

where Dave & Team will be there to discuss more about it
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.