Changes to OWASP Top 10

The threat landscape for applications and APIs constantly changes. Key factors in this evolution are the rapid adoption of new technologies (including cloud, containers, and APIs), the acceleration and automation of software development processes like Agile and DevOps, the explosion of third-party libraries and frameworks, and advances made by attackers. These factors frequently make applications and APIs more difficult to analyze, and can significantly change the threat landscape. To keep pace, we periodically update the OWASP Top 10. 

According to Jeff Williams, the original author of the OWASP Top 10 and CTO and founder of Contrast Security, “We have added and removed a few items over the years, but this year’s list is very similar to what we released in 2003. Some that have been cut from the list such as ‘Application Denial of Service’ and ‘Unchecked Redirects and Forwards’ are still issues but aren’t nearly as common or impactful as they once were. Others have been combined, like ‘Insecure Direct Object References’ and ‘Missing Function Level Access Control’ into a single ‘Broken Access Control.’ Also, the old ‘Unvalidated Redirects and Forwards’ fell off the list due to its diminishing severity and prevalence."

“To me, the 2017 Top 10 reflects the move towards modern, high-speed software development that we’ve seen explode across the industry since the last version of the Top 10 in 2013. While many of the vulnerabilities remain the same, the addition of APIs and attack protection should focus organizations on the key issues for modern software.

“The solution? Application security must get closer to software development. Software developers take advantage of powerful capabilities in the platform they are provided. And when they don’t take precautions, attackers will figure out new ways to take advantage of their work. We need to take responsibility for building defenses, creating assurance, and blocking attacks. We can’t stand by and point fingers at vulnerabilities anymore. There’s too much at stake.”

In this 2017 release, we made the following changes:

1. We merged 2013-A4: Insecure Direct Object References and 2013-A7: Missing Function Level Access Control back into 2017- A4: Broken Access Control.
   
   In 2007, we split Broken Access Control into these two categories to bring more attention to each half of the access control problem (data and functionality). We no longer feel that is necessary so we merged them back together.

2. We added 2017-A7: Insufficient Attack Protection:
   
   For years, we’ve considered adding insufficient defenses against automated attacks. Based on the data call, we see that the majority of applications and APIs lack basic capabilities to detect, prevent, and respond to both manual and automated attacks. Application and API owners also need to be able to deploy patches quickly to protect against attacks.

3. We added 2017-A10: Underprotected APIs:
   
   Modern applications and APIs often involve rich client applications, such as JavaScript in the browser and mobile apps, that connect to an API of some kind (SOAP/XML, REST/JSON, RPC, GWT, etc.). These APIs are often unprotected and contain numerous vulnerabilities. We include it here to help organizations focus on this major emerging exposure.

4. We dropped: 2013-A10: Unvalidated Redirects and Forwards:
   
   In 2010, we added this category to raise awareness of this problem. However, the data shows that this issue isn’t as prevalent as expected. So after being in the last two releases of the Top 10, this time it didn’t make the cut.

NOTE: The T10 is organized around major risk areas, and they are not intended to be airtight, non-overlapping, or a strict taxonomy. Some of them are organized around the attacker, some the vulnerability, some the defense, and some the asset. Organizations should consider establishing initiatives to stamp out these issues.