Behind the The OWASP Top 10 2017 RC1

The OWASP Top 10 has become web app critical infrastructure but do people understand how it is produced?

Josh Grossman
Apr 24, 2017 · 7 min read

The power of OWASP

OWASP (The Open Web Application Security Project) was started in 2001 and describes itself as a:

  • Companies want us to provide (potentially based on own their client requirements) secure development training which covers the OWASP Top 10.
  • Companies expect that when we provide them with Application Security testing services, we follow a recognised methodology such as that set out by OWASP
  • Companies require us to provide an Application Security testing report which maps our findings to the OWASP Top 10. (We don’t like doing this as clearly the OWASP Top 10 cannot cover all types of findings)
  • Companies want us to provide just a “quick test” which “just covers the OWASP Top 10”. (We don’t do this!)
  • Companies want us to provide them with a “certification” that their application “complies” with the OWASP Top 10. (Good lord, no!)

The OWASP reality

The fact is that there are a large number of very high quality products and resources from OWASP (my personal favourites being OWASP ZAP, the OWASP Testing Guide and OWASP Juice Shop.

Appearance of independence

Early in my professional life, I worked at a Big 4 accountancy firm where the idea of “independence” was drummed into me. In the Big 4 context, this is relevant for “Auditor Independence” where a Financial Auditor firm and its staff must demonstrate that they are able to perform a completely unbiased review of a company’s financial reporting without being exposed to external pressures which prevent it from being impartial such as a financial interest or inducement.

http://kfknowledgebank.kaplan.co.uk/KFKB/Wiki%20Pages/Audit%20and%20compliance.aspx

The OWASP Top 10 RC1 — Appearing independent

A Release Candidate of the OWASP Top 10 2017 was released a few weeks ago. Many people with more experience than I have debated both the technical merits of the latest release candidate and also examined the underlying data on which it was based.

https://github.com/OWASP/Top10/raw/master/2017/OWASP%20Top%2010%20-%202017%20RC1-English.pdf (Page 5)
From: https://github.com/OWASP/Top10/blob/master/2017/datacall/OWASP%20Top%2010%20-%202017%20Data%20Call-Public%20Release.xlsx?raw=true
https://github.com/OWASP/Top10/raw/master/2017/OWASP%20Top%2010%20-%202017%20RC1-English.pdf (Page 14)
https://www.contrastsecurity.com/security-influencers/owasp-top-10-for-2017

Final Thoughts

The OWASP Top 10 project clearly provides its raw data sources but as the nVisium blog referenced above notes, the process between the raw data and the final Top 10 is not clear.

https://github.com/OWASP/Top10/raw/master/2017/OWASP%20Top%2010%20-%202017%20RC1-English.pdf (Page 3)
  1. Perhaps the OWASP Top 10 Web Application Security Risks needs to be a data/risk driven view of the key issues which are being seen in the wild with more frequent updates but less focus on preparing a detailed and complex document. The focus should be on an ordered list of specific issues rather than trying to compress lots of issues into a top 10 list. The OWASP Top 10 Proactive Security controls which is a really useful and practical document for developers should be based on the this list of top issues (but not one-to-one) and provide actual hands-on ways to address security the most common security issues from the original list.
  2. Finally, the industry needs to be more involved in contributing to efforts like these. Only 11 companies contributed the vast majority of the data for the OWASP Top 10. I will certainly be encouraging my employer to start collecting the data required to submit and I think it is important that others do as well.

Josh Grossman

Written by

Now only posting at https://joshcgrossman.com