After a four-year hiatus, OWASP this week released a working draft of the latest iteration of its OWASP Top 10 vulnerabilities list.
Security leaders welcome some vital changes to the list - namely the addition of application programming interfaces (APIs) - that acknowledge shifts in the development and threat landscape, with hopes that these types of changes would be made more frequently in the future. Others note that in many ways the list looks very similar to previous incarnations. And some say that's a testament to the need for developer practices-- not the list itself--to more rapidly evolve.
A staple benchmark of the application security world, the OWASP Top 10 was designed to help developers avoid common coding bugs and provide security teams some standards for prioritizing vulnerability mitigation. It often sets the tone for enterprise application security program priorities and is also found at the root of many vulnerability testing product-scoring mechanisms and prioritization algorithms.
"To me, the 2017 Top 10 reflects the move towards modern, high-speed software development that we've seen explode across the industry since the last version of the Top 10 in 2013," says Jeff Williams, CTO of Contrast Security and one of the key authors of the list since it was first developed in 2003. "While many of the vulnerabilities remain the same, the addition of APIs and attack protection should focus organizations on the key issues for modern software."
According to Kunal Anand, CTO and co-founder of Prevoty, the inclusion of APIs is probably the most meaningful change in this go-around. It's an important addition that addresses the way enterprises operates in this day and age of microservices-enabled DevOps and Agile shops.
"Enterprises across many industries, including finance and retail, are deconstructing large monolithic applications into smaller leaner services and micro-services. It's common for an average application to make dozens of API calls to render a single page, with many of the calls distributed across different services," he says. "APIs are ultimately applications, albeit more focused. In 2016, we started to see very targeted attacks against API frameworks. I suspect we'll see a continuation of that in 2017."
This new addition could potentially help raise more awareness about API security, which is largely ignored at most organizations today, says Ryan O'Leary, vice president of WhiteHat Security's Threat Research Center.
"This is a great change and really speaks to the changing dynamic of how we develop applications and build them for modern consumption," he says.
Having said that, both Anand and O'Leary believe that the Top 10 list isn't evolving quickly enough to keep up with the pace of change in how software is delivered and in threat patterns.
"I'd like to see an increased cadence when it comes to updating the OWASP Top 10. The Internet, and more specifically applications, looked a lot different in 2013. In our industry, it's possible to see big changes in just a couple of years," says Anand, who sees trends like serverless-based technologies, containerization and mobile development frameworks like React all changing the game to the point where they'll need to be addressed in the near future. "I hope we can update OWASP to cover these large trends and changes more frequently.”
To be fair, though, in many ways the major problems in applications have remained fairly static over the last 14 years.
"We have added and removed a few items over the years, but this year’s list is very similar to what we released in 2003," says Williams.
In a lot of ways, the OWASP Top 10 pretty well illustrates appsec's prevailing trend of the more things change, the more they stay the same, says Ben Tomhave, principal security scientist for New Context Services.
"There's no point in producing a new list every year, because - as demonstrated by the high degree of similarity between recent versions - things simply don't change that quickly," he says. "The strong similarities between the 2017 Top 10 list and previous iterations suggests that current approaches to developer awareness and education aren't working. We clearly have as long way to go, and likely need to change tactics to achieve better outcomes."
And, in fact, one of the other changes that was made this time around kind of acknowledges that, O'Leary says.
"OWASP is now stating that companies need to have some sort of WAF or RASP technology to detect, respond, and patch. This is going to be a controversial one as it's a mitigation to a vulnerability and not a vulnerability in itself," he says. "The OWASP list has typically been focused around vulnerabilities and how to fix or protect against those threats. With this change OWASP is now saying that a 3rd party service or tool is needed. This is likely a result of how slow the industry is to fix vulnerabilities."
He believes the new inclusion will be a hot button topic for a long time to come.