For the first time since 2013, the Open Web Application Security Project (OWASP) has updated its top 10 list of the most critical application security risks. According to OWASP, the 2017 OWASP Top 10 is a major update, with three new entries making the list, based on feedback from the AppSec community.
The OWASP Top 10 is an influential and widely used AppSec standard - lots of organizations rely on it for direction in their AppSec programs.
This update went through two versions. After the initial release candidate in April 2017 got big push-back from the AppSec community, OWASP went back to the drawing board and issued a new version in August seeking community feedback. This time around, there's seems to be more consensus.
One thing everyone seems to agree on: an update to the Top 10 was needed. "Change has accelerated over the last four years, and the OWASP Top 10 needed to change," OWASP said in the forward to the 2017 release.
In this blog post, we explain more about the three new risks in the 2017 top 10, what else has changed since 2013, and provide resources exploring best practices for preventing these risks. Check out our infographic describing all 10 risks, and visit our OWASP Top 10 resources page.
What's New in the 2017 OWASP Top 10?
Three web application risks were added to the 2017 OWASP Top 10.
XML External Entities (XXE)
Coming in at number four on the 2017 OWASP Top 10 list is XML external entities. This risk refers to poorly conﬁgured XML processors that evaluate external entity references within XML documents. Attackers can use external entities for attacks including remote code execution, and to disclose internal ﬁles and SMB ﬁle shares.
Insecure deserialization is ranked at number eight on the 2017 OWASP Top 10 list. Insecure deserialization ﬂaws can enable an attacker to execute code in the application remotely, tamper or delete serialized (written to disk) objects, conduct injection attacks, and elevate privileges.
Insecure deserialization was on the rise in the past year. CA Veracode research for our State of Software Security report found that 53.3 percent of Java applications were using a version of the Apache Commons Collections library with an insecure deserialization vulnerability, up from 49 percent the previous year.
Insufficient Logging and Monitoring
The final new entry in this year's OWASP Top 10, ranked at number 10, is insufficient logging and monitoring. Insufficient logging and ineffective integration with security incident response systems allow attackers to pivot to other systems and maintain persistent threats for weeks or months before being detected.
With attackers frequently exploiting new vulnerabilities within days of disclosure, logging and monitoring are critical to responding to all of the other nine risks in the OWASP Top 10, particularly number nine, using components with known vulnerabilities.
Some Risks From the 2013 OWASP Top 10 Were Dropped or Merged in 2017
The ordering of the top 10 is based on the prevalence of risks, so some of the risks have been re-ordered between the 2013 OWASP Top 10 and the 2017 version.
Two risks on the 2013 version of OWASP Top 10 have been dropped in 2017: cross-site request forgery (CSRF), and unvalidated redirects and forwards. These risks are "gone, but not forgotten," OWASP said.
Two risks from the 2013 version were merged in the 2017 OWASP Top 10: Insecure direct object references and missing function level access control were merged into broken access control.
|OWASP TOP 10 2013||OWASP TOP 10 2017|
|1. Injection||1. Injection|
|2. Broken Authentication and Session Management||2. Broken Authentication|
|3. Cross-Site Scripting||3. Sensitive Data Exposure|
|4. Insecure Direct Object References (Merged in 2017 with #7)||4. XML External Entities (NEW)|
|5. Security Misconfiguration||5. Broken Access Control (MERGED)|
|6. Sensitive Data Exposure||6. Security Misconfiguration|
|7. Missing Function Level Access Control (Merged in 2017 with #4)||7. Cross-Site Scripting|
|8. Cross-Site Request Forgery (DROPPED in 2017)||8. Insecure Deserialization (NEW)|
|9. Using Components With Known Vulnerabilities||9. Using Components With Known Vulnerabilities|
|10. Unvalidated Redirects and Forwards (DROPPED in 2017)||10. Insufficient Logging and Monitoring (NEW)|
OWASP Recommendations for Securing Web Applications
OWASP released a set of recommendations, describing what's next for developers, application security testing processes, and organizations looking to begin the process of securing their applications.
Developers: Establish and use repeatable security processes and standard security controls.
Security testing: Establish continuous application security testing.
- Make testing compatible with the software development lifecycle (SDLC).
- Focus on what's important before expanding your program over time.
- Communicate security findings effectively.
Organizations: If you haven't already, start your application security program now.