Application Security
4/11/2017
05:55 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
100%
0%

OWASP Top 10 Update: Long Overdue Or Same-Old, Same-Old?

The industry benchmark list is about to change for the first time in four years, but barring a few important changes, it looks a lot like it always has.

After a four-year hiatus, OWASP this week released a working draft of the latest iteration of its OWASP Top 10 vulnerabilities list.

Security leaders welcome some vital changes to the list - namely the addition of application programming interfaces (APIs) - that acknowledge shifts in the development and threat landscape, with hopes that these types of changes would be made more frequently in the future. Others note that in many ways the list looks very similar to previous incarnations. And some say that's a testament to the need for developer practices-- not the list itself--to more rapidly evolve.

A staple benchmark of the application security world, the OWASP Top 10 was designed to help developers avoid common coding bugs and provide security teams some standards for prioritizing vulnerability mitigation. It often sets the tone for enterprise application security program priorities and is also found at the root of many vulnerability testing product-scoring mechanisms and prioritization algorithms. 

"To me, the 2017 Top 10 reflects the move towards modern, high-speed software development that we've seen explode across the industry since the last version of the Top 10 in 2013," says Jeff Williams, CTO of Contrast Security and one of the key authors of the list since it was first developed in 2003. "While many of the vulnerabilities remain the same, the addition of APIs and attack protection should focus organizations on the key issues for modern software."

According to Kunal Anand, CTO and co-founder of Prevoty, the inclusion of APIs is probably the most meaningful change in this go-around. It's an important addition that addresses the way enterprises operates in this day and age of microservices-enabled DevOps and Agile shops.

"Enterprises across many industries, including finance and retail, are deconstructing large monolithic applications into smaller leaner services and micro-services. It's common for an average application to make dozens of API calls to render a single page, with many of the calls distributed across different services," he says. "APIs are ultimately applications, albeit more focused. In 2016, we started to see very targeted attacks against API frameworks. I suspect we'll see a continuation of that in 2017."

This new addition could potentially help raise more awareness about API security, which is largely ignored at most organizations today, says Ryan O'Leary, vice president of WhiteHat Security's Threat Research Center.

"This is a great change and really speaks to the changing dynamic of how we develop applications and build them for modern consumption," he says.

Having said that, both Anand and O'Leary believe that the Top 10 list isn't evolving quickly enough to keep up with the pace of change in how software is delivered and in threat patterns.

"I'd like to see an increased cadence when it comes to updating the OWASP Top 10. The Internet, and more specifically applications, looked a lot different in 2013. In our industry, it's possible to see big changes in just a couple of years," says Anand, who sees trends like serverless-based technologies, containerization and mobile development frameworks like React all changing the game to the point where they'll need to be addressed in the near future. "I hope we can update OWASP to cover these large trends and changes more frequently.”

To be fair, though, in many ways the major problems in applications have remained fairly static over the last 14 years.

"We have added and removed a few items over the years, but this year’s list is very similar to what we released in 2003," says Williams.

In a lot of ways, the OWASP Top 10 pretty well illustrates appsec's prevailing trend of the more things change, the more they stay the same, says Ben Tomhave, principal security scientist for New Context Services.

"There's no point in producing a new list every year, because - as demonstrated by the high degree of similarity between recent versions - things simply don't change that quickly," he says. "The strong similarities between the 2017 Top 10 list and previous iterations suggests that current approaches to developer awareness and education aren't working. We clearly have as long way to go, and likely need to change tactics to achieve better outcomes."

And, in fact, one of the other changes that was made this time around kind of acknowledges that, O'Leary says.

"OWASP is now stating that companies need to have some sort of WAF or RASP technology to detect, respond, and patch. This is going to be a controversial one as it's a mitigation to a vulnerability and not a vulnerability in itself," he says. "The OWASP list has typically been focused around vulnerabilities and how to fix or protect against those threats. With this change OWASP is now saying that a 3rd party service or tool is needed. This is likely a result of how slow the industry is to fix vulnerabilities."

He believes the new inclusion will be a hot button topic for a long time to come.

Related Content:

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.