OWASP Top Ten: Then to Now

OWASP, short for the Open Web Application Security Project, is a community of web security professionals that actively endorse the best practices for web security. Their output includes in-depth papers, articles, documentation, modernized tools, and extensive research. OWASP is perhaps best known for the “OWASP Top 10” lists that are released every few years, which detail the ten most critical web application security risks. The purpose of this document is to promote awareness to the web security risks faced by businesses and security agencies, and by extension, promote the culture of security within an organization. In this article, we look at the differences between the most recent report, released in September 2017, and the previous report, which came in 2013.

The 2017 report starts off by adding two major issues that were requested by experts in the community, and one that was provided by data gathered by OWASP itself:

  • Insecure deserialization. Based on an industry survey (rather than empirical data), this happens when a web application deserializes hostile objects. Deserialized objects are particularly dangerous because they can be anything; not just scripts that cause an operating system to go haywire, but remote access to the servers attached to the web application. Through this, an attacker can gather all passwords as they move through the system, and even gain admin privileges.
  • Insufficient logging and monitoring. This is like installing an alarm system without security cameras. A security system that catches anomalies is a necessary tool, but it’s much less effective without a reliable method for notifying necessary parties quickly. OWASP asserts that a lack of logging and monitoring can “prevent or significantly delay malicious activity and breach detection, incident response, and digital forensics”.
  • XML External Entities. In a web application, XML inherently seeks external entities to perform tasks, so there exists inherent risk if your site or application relies on the language. OWASP warns of vulnerabilities in direct XML uploads, document type definitions (DTDs), SAML, old versions of SOAP (before 1.2), and of course, XML external entity attacks (XXE).
  • Two items, Missing Function Level Access Control and Insecure Direct Object References, were combined to create Broken Access Control. OWASP and its community noticed parallels in vulnerability and response between the two former list items, and concluded both could be fixed with better access control.
  • Two more items, Cross Site Request Forgery (CSRF) and Unvalidated Redirects and Forwards, were removed from the Top 10. Both occurred in less than 10% of cases (5% and 8%, respectively), which means they were edged out by XXE attacks. However, OWASP warns that businesses should still be aware of them, even if they aren’t Top 10 threats.
What changed from 2013 to 2017?
Video explaining the changes from OWASP 2013 to 2017

In the 2017 OWASP Top 10, the organization claimed, “the fundamental technology and architecture of applications has changed significantly.” Specifically, there were tide-shifting changes, including the surge of node.js as a result of JavaScript’s takeover of current frameworks, and the inherent security challenges presented by rapid progression of web technology.

Fortunately, OWASP says its community is growing and becoming more cohesive, even as they make methodology changes to keep up with the times.