For all those interested in application security out there, here’s something you should note: the new OWASP Top 10 has arrived! After much discussing, waiting, debating, and deciding, OWASP has just released their finalized version of the latest Top 10 web application security vulnerabilities.
Didn’t that already happen? Well, sort of. This summer, OWASP issued a release candidate for updates to the Top 10 list. That list was a bit too vague for some folks’ liking, so the list was revised again. What we have now is a new new OWASP Top 10.
Why This Matters
As applications become more integrated into our daily lives, application security becomes more of a priority. The mission of the Open Web Application Security Project (OWASP) is to provide resources on securing applications and to encourage developers to be more cognizant of security as they build applications.
The OWASP Top 10 is a categorization of the top web application security flaws, based on a combination of prevalence, exploitability, detectability, and impact. This list provides visibility into trends in attacker techniques, as well as the systemic issues affecting applications. The goal of this list is to raise awareness of the most common and damaging security exposures. The OWASP Top 10 also provides an industry standard for application security testing, and, as such, it provides insight into the security posture of your application.
The 2017 Top 10 release is the first update since 2013, and there are some significant changes, including some vulnerabilities that were removed (gray)
, merged (yellow)
, and added (blue)
Here’s what we find significant about this list:
Injection is still #1
Though not as common as it once was, injection flaws are still extremely damaging when they are found, so it’s understandable why they maintain the #1 seat. Injection flaws (such as SQL injection) can provide access to sensitive databases or, in extreme cases, lead to a full compromise of the host.
CSRF is now gone
OWASP removed this from the list because many frameworks include defenses against this vulnerability. Though CSRF has decreased in prevalence, we still see it relatively often in our application assessments, so organizations need to be on guard against it, especially when not using a modern application framework.
XML External Entities (XXE) was added to the list
This vulnerability can allow attackers to extract data, execute remote commands, or perform other attacks. We find this vulnerability most frequently impacting web services served over SOAP since this protocol uses XML for exchanging messages between clients and servers. Organizations making use of SOAP should be on the lookout for this.
Insecure deserialization was added to the list
Though difficult to exploit, deserialization can be a very critical issue. With this vulnerability, an attacker creates a malicious serialized object (i.e., data about an application’s state that has been converted into a format that can be transmitted over the Internet) which they pass to the application. When the application attempts to turn that object back into a workable state, it executes any malicious code embedded by the attacker. OWASP included this issue in the Top 10 because an industry survey listed it among top concerns. It’s important to note that manual testing is usually needed to identify and validate this issue. The best protection is to altogether avoid parsing serialized objects from clients, but, failing that, digital signing and robust validation of serialized objects is the next strongest defense.
Insufficient logging and monitoring was added to the list
This issue was included in the Top 10 because organizations listed it as a top concern. This is not a vulnerability, per se, in the sense that it is something an attacker directly exploits – unlike the other flaws in the Top 10. Nevertheless, insufficient logging and monitoring certainly creates a situation that benefits attackers and can cripple organizations. Without adequate logging and monitoring, an attacker’s probes or actual exploitation may go undetected, thus dramatically decreasing the organization’s ability to address the threat. A good way to test logging and monitoring capabilities is to conduct a security assessment to determine whether the appropriate alerts are configured, and to analyze your logs after the test.
What To Do Now
The OWASP Top 10 is an indispensable tool that developers can use to better understand the security posture of their applications. The Top 10 should be integrated into every organization’s training, security guidelines, and software development lifecycle. If you haven’t done much in the way of application security before, learning the Top 10 –by actually exploiting and then fixing these vulnerabilities—is a good place to start.
But it’s important to not stop there. The Top 10 is not meant to be an all inclusive list of application security flaws; there are still numerous, relatively common vulnerabilities that were not included on the 2017 list – like CSRF. While the Top 10 provides valuable guidance, it is no substitute for regular security testing. Testing can identify the vulnerabilities that may not be included in the Top 10 but could still affect your application. Testing also demonstrates the real world impact of a potential attack. All developers should be familiar with the Top 10, but we also encourage organizations to prioritize security in every aspect of application development.