It’s been four years since The Open Web Application Security Project (OWASP) published their Top 10 list of most critical web application risks. The new one’s finally out and we’re here to help you make sense of what’s changed.
The OWASP Top 10 list has become an international standard for the most threatening risks web application developers face, and has long been an important resource for those in web application security. OWASP has grown from a simple advocacy and awareness group to a global community of security experts coming together to produce the OWASP Top 10.
Let’s dive in to see what’s new on the list.
2017’s OWASP Top 10
- Injection
- Broken Authentication
- Sensitive Data Exposure
- XML External Entities (XXE)
- Broken Access Control
- Security Misconfiguration
- Cross-Site Scripting
- Insecure Deserialization
- Using Components with Known Vulnerabilities
- Insufficient Logging & Monitoring
What’s New in 2017?
- XML External Entities (XXE)
Technology has changed and many frameworks are now built on XML, making them vulnerable for XXE. Older and poorly configured XML processors can be used to perform an attack by including malicious content in an XML document or exploiting vulnerable code.
- Insecure Deserialization
Insecure deserialization can lead to attacks, often to remote code execution and different types of injection attacks.
- Insufficient Logging & Monitoring
Insufficient logging & monitoring is not a vulnerability like the other issues on the list but more of a counter measure needed to detect a breach fast enough and stop the attackers from further attacking systems, pivot to other systems, destroy data, or, in general, execute their plan. FACT: In 2016, identifying an attack took an average of 191 days, allowing an attacker plenty of time to execute their attack plan.
Two issues from the 2013 list, Insecure Direct Object Reference and Missing Function Level Access Control were merged into a new item: Broken Access Control.
Broken Access Control contains vulnerabilities that will allow attackers to gain access to unauthorized functionality and data such as other users accounts, files, access rights, and other sensitive information.
Two items from 2013’s list were removed. Cross-Site Request Forgery (CSRF) and Unvalidated Redirects and Forwards (places 8 and 10 on the 2013 list) were scratched. CSRF vulnerability is found in only 5% of applications as many frameworks added CSRF mitigation and detection techniques. Unvalidated Redirects and Forwards is found in only 8% of applications and was edged out overall by XXE.
How to keep your applications and data safe
- Set goals and security requirements
Start with defining how your application should be secured. Ask yourself what needs to be taken into consideration, and what are the security tests that need to be performed.
- Design your security from the start
Instead of retrofitting security into your applications and APIs, it’s recommended you design your security and build your application on top of it. OWASP recommends the OWASP Prevention Cheat Sheets as a starting point.
- Frameworks & open sources
Many modern frameworks come with a good set of security controls for authorization, validation and other security defenses. Based on your security needs, choose the frameworks and open sources that will meet your requirements.
- Security education
Developers should be trained constantly about web application development security standards. Developers should be up-to-date with new vulnerabilities that are found daily.
- Logging and monitoring
Be sure to always:
- Audit events such as failed loggings and server side input validation errors;
- Configure and log suspicious activities;
- Generate all logs in one centralized log management solution to provide clear and into different systems;
- Configure monitoring and alerting to provide fast response;
- Establish an incident response and a recovery plan.
StackPath WAF helps you Build Safe for the web
StackPath WAF provides protection against most of the OWASP Top 10 vulnerabilities. Our sophisticated, next generation website security platform relies on your behaviors and reputations, and detects any malicious activity attempt. The real-time dashboard and event management screen enables you to get instant access to live information about your website traffic so you can view and analyze security events.
To learn more about OWASP Top 10 and what you need to do to keep your applications and user data safe, read the complete OWASP Top 10 – 2017 security risks document.