IAM: The Reason Why OWASP Top 10 Doesn't ChangeOWASP's AppSec conference is easily one of the best in the infosec industry. Where will it be held this year? Why not Punxsutawney?
OWASP's AppSec conference is easily one of the best in the infosec industry. Where will it be held this year? Why not Punxsutawney?
Some years ago, Chris Hoff asked why the OWASP Top 10 doesn't change. Yes, Appsec feels like Groundhog Day, but it's not because the people at OWASP are sitting on their hands. The OWASP Top 10 catalogs the top Web vulnerabilities that all applications face, and it's reviewed and updated on a regular basis. But Hoff is right: It mostly does not change.
To refresh your memory, here is the OWASP Top 10 for 2010:
1. Injection (e.g. SQL Injection)
2. Cross-Site Scripting
3. Broken Authentication and Session Management
4. Insecure Direct Object Reference
5. Cross-Site Request Forgery
6. Security Misconfiguration
7. Insecure Cryptographic Storage
8. Failure to Restrict URL Access
9. Insufficient Transport Layer Protection
10. Unvalidated Redirects and Forwards
After pondering this, I think I have come on a reason why, fundamentally, it does not change. The top two issues, injection (like SQL Injection) and XSS, both have to do with defensive programming. Developers are simply not trained and, consequently, do not know how to avoid these errors. There are fixes available, but they often go unimplemented.
But those are two of the top 10. What about the other eight? Here it's clear that poor identity and access management patterns and practice are a leading factor.
Broken Authentication, Session Management, and Insufficient Transport Layer Protection have been in the OWASP Top 10 for the past decade: They are all examples of authentication vulnerabilities.
Likewise, Insecure Direct Object Reference, Cross-Site Request Forgery, and Failure to Restrict URL Access -- all authorization vulnerabilities -- have spent the past decade in the OWASP Top 10. The 2010 edition of the Top 10 added another authorization vulnerability, Unvalidated Redirects and Forwards.
Where does this leave us? The majority of issues (six of 10) in the OWASP Top 10 are a direct result of identity and access management failures. If you want to escape AppSec Groundhog Day, then you have to change your focus. Addressing IAM architecture, strengthening authentication, and ensuring authorization coverage are not compliance issues or just architecture issues. They are core security concerns that need need your attention.
Gunnar Peterson is a Managing Principal at Arctec Group
Gunnar Peterson (@oneraindrop) works on AppSec - Cloud, Mobile and Identity. He maintains a blog at http://1raindrop.typepad.com. View Full Bio