Here’s your chance to sound-off.
Months in the making, the OWASP Top Ten Project has released the proposed 2017 update of public and private comments from application security professionals. This is the fourth update to the list that was first published in 2003 when the order reflected the most prevalent risks. Since 2010, the list has been based on the priority order of risk.
The proposed 2017 list contains two new categories that reflect the changing nature of threats and solutions. “A7 Insufficient Attack Protection” describes the risk that exists when an application is not protected using a security solution and includes vulnerabilities such as anti-automation and attacks such as brute forcing. This category also highlights the importance of logging.
On the downside, the title and the scope of this category are very broad. Additionally, this category appears to promote security solutions such as WAFs despite the fact that WAFs have been proven insufficient and in, many cases, create a false sense of security because of large numbers of false positives and negatives.
The second new category, “A10 Unprotected APIs,” is another very broad category that includes all types of vulnerabilities that can apply to any type of API. Because of such a broad nature, it overlaps with most of the other categories.
The rest of the Top Ten list remains largely unchanged with two exceptions. After evaluating the 2013 list, the project team combined two previous, but related categories – A4 Insecure Direct Objects References and A7 Missing Function Level Access – and deleted A10 Invalidated Redirects and Forwards. The 2013 versions of A4 and A7 were originally a single category until 2007 and have been recombined because the project team believes it’s no longer necessary to draw attention to the two halves of the same problem.
The 2013 version of A10 was dropped because the underlying threat has not developed as expected since its introduction in 2010.
Public and private comments will be accepted until June 30, 2017. The final list is expected to be released in late summer along with the public comments received during the review period.
Waratek encourages you to download the proposed list here.