Changes in OWASP Top 10: 2017 vs 2021 by Heinz-Werner Haas Digital Frontiers Das Blog

It represents a broad consensus about the most critical security risks to web applications. It was started in 2003 to help organizations and developer with a starting point for secure development. Over the years it’s grown into a pseudo standard that is used as a baseline for compliance, education, and vendor tools. For the first time since 2013, the Open Web Application Security Project (OWASP) has updated its top 10 list of the most critical application security risks. According to OWASP, the 2017 OWASP Top 10 is a major update, with three new entries making the list, based on feedback from the AppSec community.

  • There are three new categories, four categories with naming and scoping changes, and some consolidation in the Top 10 for 2021.
  • But with the increasing amount of services also the complexity of authorization and ACL handling increases.SSRF is new in the OWASP Top 10, and it is currently only a small cluster of a single CWE.
  • But what it is is a great baseline for discussion and processing what people want and need to know.
  • For those who want all the details, please check out the official PDF from OWASP.

XXE is an attack against an application that processes XML input from a client. An XML-External-Entities-Attack occurs when untrusted XML input, containing references to external entities, is parsed and processed. For example, with XXE an attacker could include the content of the server /etc/passwd file or the content of your application.properties into the input XML. Where people use native PHP serialization, and store that data in a place where a user could control or change it, they’re vulnerable. If, like me, you write a lot of PHP, you’ll need to keep this one in mind for a long time.

OWASP Top Ten 2021 April Update

Correctly (to my mind), the author’s at OWASP recognize that after-the-deploy hardening gets skipped, so I love their recommendation to just never do it. It also fits well with the increasing Docker- or container-ization of web stacks.

OWASP Top 10 2017 Update Lessons

I admit that I don’t love that the majority of this post will be my hot takes on the OWASP Top Ten 2017. It’s a well-considered list and deserves a complete course rather than a quick summary. What was interesting about it the 2017 update, to me, was that it went through a few different drafts, and finally did some data-analysis https://remotemode.net/become-a-net-mvc-developer/owasp-top-10-2017-update/ and polling. It’s somewhere between possible and likely that this happened in the past, but because I was authoring WordPress Security with Confidence at the time, I paid much more careful attention to the whole process. But what it is is a great baseline for discussion and processing what people want and need to know.

Changes in OWASP Top 10: 2017 vs 2021

The OWASP Top Ten list, as you might guess, is the ten most important things that OWASP think web application developers should be focused on to make sure that the web generally is secure. Healthcare security came under scrutiny in 2023, and supply-chain attacks became all too common. “This is a really important step towards ‘shifting left’ as design is one of the elements that sits to the left of an application’s development lifecycle,” Wright added. If we look at the top positions, in 2017 Injection and Broken Authentication were the two most common.

  • If you’d like me to go into much more detail on any of them, please don’t hesitate to drop me a comment here.
  • “This is a really important step towards ‘shifting left’ as design is one of the elements that sits to the left of an application’s development lifecycle,” Wright added.
  • The preference is for contributions to be known; this immensely helps with the validation/quality/confidence of the data submitted.
  • It’s a place for a conversation about security to start, and good thing to keep an eye on for anyone who writes or maintains any part of a web application.
  • XSS allows attackers to run scripts in a victim’s browser, which can hijack user sessions, de-identify websites or redirect the user to malicious websites.

It’s a place for a conversation about security to start, and good thing to keep an eye on for anyone who writes or maintains any part of a web application. Bill Brenner is VP of Content Strategy at CyberRisk Alliance — an InfoSec content strategist, researcher, director, tech writer, blogger and community builder. One of the more valuable tools has been an Immersive Labs eBook that serves as a cheat sheet and delves deep into the meaning behind each item on the revised list .

CWE Data

In CVSSv3, the theoretical max was limited to 6.0 for Exploit and 4.0 for Impact. • A10 – Unvalidated Redirects and Forwards, while found in approximately 8% of applications, it was edged out overall by XXE. • A8 – Cross-Site Request Forgery (CSRF), as many frameworks include CSRF defenses, it was found in only 5% of applications. Also, would like to explore additional insights that could be gleaned from the contributed dataset to see what else can be learned that could be of use to the security and development communities. At a high level, we plan to perform a level of data normalization; however, we will keep a version of the raw data contributed for future analysis. We will analyze the CWE distribution of the datasets and potentially reclassify some CWEs to consolidate them into larger buckets.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top