OWASP Top 10 Update: Long Overdue Or Same-Old, Same-Old?

  /     /     /  
Publicated : 22/11/2024   Category : security


OWASP Top 10 Update: Long Overdue Or Same-Old, Same-Old?


The industry benchmark list is about to change for the first time in four years, but barring a few important changes, it looks a lot like it always has.



After a four-year hiatus, OWASP this week released a working draft of the latest iteration of its OWASP Top 10 vulnerabilities list.
Security leaders welcome some vital changes to the list - namely the addition of application programming interfaces (APIs) - that acknowledge shifts in the development and threat landscape, with hopes that these types of changes would be made more frequently in the future. Others note that in many ways the list looks very similar to previous incarnations. And some say thats a testament to the need for developer practices-- not the list itself--to more rapidly evolve.
A staple benchmark of the application security world, the OWASP Top 10 was designed to help developers avoid common coding bugs and provide security teams some standards for prioritizing vulnerability mitigation. It often sets the tone for enterprise application security program priorities and is also found at the root of many vulnerability testing product-scoring mechanisms and prioritization algorithms. 
To me, the 2017 Top 10 reflects the move towards modern, high-speed software development that weve seen explode across the industry since the last version of the Top 10 in 2013, says Jeff Williams, CTO of Contrast Security and one of the key authors of the list since it was first developed in 2003. While many of the vulnerabilities remain the same, the addition of APIs and attack protection should focus organizations on the key issues for modern software.
According to Kunal Anand, CTO and co-founder of Prevoty, the inclusion of APIs is probably the most meaningful change in this go-around. Its an important addition that addresses the way enterprises operates in this day and age of microservices-enabled DevOps and Agile shops.
Enterprises across many industries, including finance and retail, are deconstructing large monolithic applications into smaller leaner services and micro-services. Its common for an average application to make dozens of API calls to render a single page, with many of the calls distributed across different services, he says. APIs are ultimately applications, albeit more focused. In 2016, we started to see very targeted attacks against API frameworks. I suspect well see a continuation of that in 2017.
This new addition could potentially help raise more awareness about API security, which is largely ignored at most organizations today, says Ryan OLeary, vice president of WhiteHat Securitys Threat Research Center.
This is a great change and really speaks to the changing dynamic of how we develop applications and build them for modern consumption, he says.
Having said that, both Anand and OLeary believe that the
Top 10 list
isnt evolving quickly enough to keep up with the pace of change in how software is delivered and in threat patterns.
Id like to see an increased cadence when it comes to updating the OWASP Top 10. The Internet, and more specifically applications, looked a lot different in 2013. In our industry, its possible to see big changes in just a couple of years, says Anand, who sees trends like serverless-based technologies, containerization and mobile development frameworks like React all changing the game to the point where theyll need to be addressed in the near future. I hope we can update OWASP to cover these large trends and changes more frequently.”
To be fair, though, in many ways the major problems in applications have remained fairly static over the last 14 years.
We have added and removed a few items over the years, but this year’s list is very similar to what we released in 2003, says Williams.
In a lot of ways, the OWASP Top 10 pretty well illustrates appsecs prevailing trend of the more things change, the more they stay the same, says Ben Tomhave, principal security scientist for New Context Services.
Theres no point in producing a new list every year, because - as demonstrated by the high degree of similarity between recent versions - things simply dont change that quickly, he says. The strong similarities between the 2017 Top 10 list and previous iterations suggests that current approaches to developer awareness and education arent working. We clearly have as long way to go, and likely need to change tactics to achieve better outcomes.
And, in fact, one of the other changes that was made this time around kind of acknowledges that, OLeary says.
OWASP is now stating that companies need to have some sort of WAF or RASP technology to detect, respond, and patch. This is going to be a controversial one as its a mitigation to a vulnerability and not a vulnerability in itself, he says. The OWASP list has typically been focused around vulnerabilities and how to fix or protect against those threats. With this change OWASP is now saying that a 3rd party service or tool is needed. This is likely a result of how slow the industry is to fix vulnerabilities.
He believes the new inclusion will be a hot button topic for a long time to come.
Related Content:
80% Of Web Applications Contain At Least One Security Bug
25 Percent of Web Apps Still Vulnerable to Eight of the OWASP Top Ten
7 Steps to Transforming Yourself into a DevSecOps Rockstar
7 Hot Security Terms (and Buzzwords) to Know

Last News

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
OWASP Top 10 Update: Long Overdue Or Same-Old, Same-Old?