DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks

OWASP Top Ten Web App Risks Are Being Updated

The OWASP Top Ten has been updated. Read on to find out the two new vulnerabilities for which you should on the look out.

Apostolos Giannakidis user avatar by
Apostolos Giannakidis
·
Apr. 30, 17 · News
Like (1)
Save
Tweet
Share
3.10K Views

Join the DZone community and get the full member experience.

Join For Free

Here’s your chance to sound-off.

Months in the making, the OWASP Top Ten Project has released the proposed 2017 update of public and private comments from application security professionals. This is the fourth update to the list that was first published in 2003 when the order reflected the most prevalent risks.  Since 2010, the list has been based on the priority order of risk.

OWASP Top TenThe proposed 2017 list contains two new categories that reflect the changing nature of threats and solutions. “A7 Insufficient Attack Protection” describes the risk that exists when an application is not protected using a security solution and includes vulnerabilities such as anti-automation and attacks such as brute forcing. This category also highlights the importance of logging.

On the downside, the title and the scope of this category are very broad. Additionally, this category appears to promote security solutions such as WAFs despite the fact that WAFs have been proven insufficient and in, many cases, create a false sense of security because of large numbers of false positives and negatives.

The second new category, “A10 Unprotected APIs,” is another very broad category that includes all types of vulnerabilities that can apply to any type of API. Because of such a broad nature, it overlaps with most of the other categories.

The rest of the Top Ten list remains largely unchanged with two exceptions. After evaluating the 2013 list, the project team combined two previous, but related categories – A4 Insecure Direct Objects References and A7 Missing Function Level Access – and deleted A10 Invalidated Redirects and Forwards. The 2013 versions of A4 and A7 were originally a single category until 2007 and have been recombined because the project team believes it’s no longer necessary to draw attention to the two halves of the same problem.

The 2013 version of A10 was dropped because the underlying threat has not developed as expected since its introduction in 2010.

Public and private comments will be accepted until June 30, 2017.  The final list is expected to be released in late summer along with the public comments received during the review period.

Waratek encourages you to download the proposed list here. 

app

Published at DZone with permission of Apostolos Giannakidis, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • PostgreSQL: Bulk Loading Data With Node.js and Sequelize
  • Top Five Tools for AI-based Test Automation
  • A Real-Time Supply Chain Control Tower Powered by Kafka
  • The Quest for REST

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends: