Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

4/11/2017
05:55 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

OWASP Top 10 Update: Long Overdue Or Same-Old, Same-Old?

The industry benchmark list is about to change for the first time in four years, but barring a few important changes, it looks a lot like it always has.

After a four-year hiatus, OWASP this week released a working draft of the latest iteration of its OWASP Top 10 vulnerabilities list.

Security leaders welcome some vital changes to the list - namely the addition of application programming interfaces (APIs) - that acknowledge shifts in the development and threat landscape, with hopes that these types of changes would be made more frequently in the future. Others note that in many ways the list looks very similar to previous incarnations. And some say that's a testament to the need for developer practices-- not the list itself--to more rapidly evolve.

A staple benchmark of the application security world, the OWASP Top 10 was designed to help developers avoid common coding bugs and provide security teams some standards for prioritizing vulnerability mitigation. It often sets the tone for enterprise application security program priorities and is also found at the root of many vulnerability testing product-scoring mechanisms and prioritization algorithms. 

"To me, the 2017 Top 10 reflects the move towards modern, high-speed software development that we've seen explode across the industry since the last version of the Top 10 in 2013," says Jeff Williams, CTO of Contrast Security and one of the key authors of the list since it was first developed in 2003. "While many of the vulnerabilities remain the same, the addition of APIs and attack protection should focus organizations on the key issues for modern software."

According to Kunal Anand, CTO and co-founder of Prevoty, the inclusion of APIs is probably the most meaningful change in this go-around. It's an important addition that addresses the way enterprises operates in this day and age of microservices-enabled DevOps and Agile shops.

"Enterprises across many industries, including finance and retail, are deconstructing large monolithic applications into smaller leaner services and micro-services. It's common for an average application to make dozens of API calls to render a single page, with many of the calls distributed across different services," he says. "APIs are ultimately applications, albeit more focused. In 2016, we started to see very targeted attacks against API frameworks. I suspect we'll see a continuation of that in 2017."

This new addition could potentially help raise more awareness about API security, which is largely ignored at most organizations today, says Ryan O'Leary, vice president of WhiteHat Security's Threat Research Center.

"This is a great change and really speaks to the changing dynamic of how we develop applications and build them for modern consumption," he says.

Having said that, both Anand and O'Leary believe that the Top 10 list isn't evolving quickly enough to keep up with the pace of change in how software is delivered and in threat patterns.

"I'd like to see an increased cadence when it comes to updating the OWASP Top 10. The Internet, and more specifically applications, looked a lot different in 2013. In our industry, it's possible to see big changes in just a couple of years," says Anand, who sees trends like serverless-based technologies, containerization and mobile development frameworks like React all changing the game to the point where they'll need to be addressed in the near future. "I hope we can update OWASP to cover these large trends and changes more frequently.”

To be fair, though, in many ways the major problems in applications have remained fairly static over the last 14 years.

"We have added and removed a few items over the years, but this year’s list is very similar to what we released in 2003," says Williams.

In a lot of ways, the OWASP Top 10 pretty well illustrates appsec's prevailing trend of the more things change, the more they stay the same, says Ben Tomhave, principal security scientist for New Context Services.

"There's no point in producing a new list every year, because - as demonstrated by the high degree of similarity between recent versions - things simply don't change that quickly," he says. "The strong similarities between the 2017 Top 10 list and previous iterations suggests that current approaches to developer awareness and education aren't working. We clearly have as long way to go, and likely need to change tactics to achieve better outcomes."

And, in fact, one of the other changes that was made this time around kind of acknowledges that, O'Leary says.

"OWASP is now stating that companies need to have some sort of WAF or RASP technology to detect, respond, and patch. This is going to be a controversial one as it's a mitigation to a vulnerability and not a vulnerability in itself," he says. "The OWASP list has typically been focused around vulnerabilities and how to fix or protect against those threats. With this change OWASP is now saying that a 3rd party service or tool is needed. This is likely a result of how slow the industry is to fix vulnerabilities."

He believes the new inclusion will be a hot button topic for a long time to come.

Related Content:

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
johannacuriel
50%
50%
johannacuriel,
User Rank: Apprentice
5/14/2017 | 6:53:40 AM
Is not OWASP
"OWASP is now stating that companies need to have some sort of WAF or RASP technology to detect, respond, and patch. This is going to be a controversial one as it's a mitigation to a vulnerability and not a vulnerability in itself,"

This statement is wrong.

Please, is not OWASP as foundation saying this. Project leaders are autonomous on deciding how to manage their projects, OWASP a foundation only supervises that Project leaders behave within a code of conduct and guidelines.

OWASP is a community and stands for OPEN  therefore if you do not agree with something JOIN US and come discuss it. You have as a contributor all the power to influence the outcome of every single project and the Top 10 is one of them

Join the discussion and the list, even better , come to the OWASP SUMMIT 2017 in London 

where Dave & Team will be there to discuss more about it
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
Fed Kaspersky Ban Made Permanent by New Rules
Dark Reading Staff 9/11/2019
NetCAT Vulnerability Is Out of the Bag
Dark Reading Staff 9/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16395
PUBLISHED: 2019-09-17
GnuCOBOL 2.2 has a stack-based buffer overflow in the cb_name() function in cobc/tree.c via crafted COBOL source code.
CVE-2019-16396
PUBLISHED: 2019-09-17
GnuCOBOL 2.2 has a use-after-free in the end_scope_of_program_name() function in cobc/parser.y via crafted COBOL source code.
CVE-2019-16199
PUBLISHED: 2019-09-17
eQ-3 Homematic CCU2 before 2.47.18 and CCU3 before 3.47.18 allow Remote Code Execution by unauthenticated attackers with access to the web interface via an HTTP POST request to certain URLs related to the ReGa core process.
CVE-2019-16391
PUBLISHED: 2019-09-17
SPIP before 3.1.11 and 3.2 before 3.2.5 allows authenticated visitors to modify any published content and execute other modifications in the database. This is related to ecrire/inc/meta.php and ecrire/inc/securiser_action.php.
CVE-2019-16392
PUBLISHED: 2019-09-17
SPIP before 3.1.11 and 3.2 before 3.2.5 allows prive/formulaires/login.php XSS via error messages.