OWASP Top 10 2017 is Here!

By Yaniv Parasol

It’s been four years since The Open Web Application Security Project (OWASP) published their Top 10 list of most critical web application risks. The new one’s finally out and we’re here to help you make sense of what’s changed.

The OWASP Top 10 list has become an international standard for the most threatening risks web application developers face, and has long been an important resource for those in web application security. OWASP has grown from a simple advocacy and awareness group to a global community of security experts coming together to produce the OWASP Top 10.

Let’s dive in to see what’s new on the list.

2017's OWASP Top 10


Injection

1. Injection

Broken Authentication

2. Broken Authentication

Sensitive Data Exposure

3. Sensitive Data Exposure

XML External Entities (XXE)

4. XML External Entities (XXE)

Broken Access Control

5. Broken Access Control

Security Misconfiguration

6. Security Misconfiguration

Cross-Site Scripting (XSS)

7. Cross-Site Scripting (XSS)

Insecure Deserialization

8. Insecure Deserialization

Using Components with Known Vulnerabilities

9. Using Components with Known Vulnerabilities

Insufficient Logging and Monitoring

10. Insufficient Logging & Monitoring


What's New in 2017?

  1. XML External Entities (XXE): Technology has changed and many frameworks are now built on XML, making them vulnerable for XXE. Older and poorly configured XML processors can be used to perform an attack by including malicious content in an XML document or exploiting vulnerable code.
  2. Insecure Deserialization: Insecure deserialization can lead to attacks, often to remote code execution and different types of injection attacks.
  3. Insufficient Logging & Monitoring: Insufficient logging & monitoring is not a vulnerability like the other issues on the list but more of a counter measure needed to detect a breach fast enough and stop the attackers from further attacking systems, pivot to other systems, destroy data, or, in general, execute their plan. FACT: In 2016, identifying an attack took an average of 191 days, allowing an attacker plenty of time to execute their attack plan.

Two issues from the 2013 list, Insecure Direct Object Reference and Missing Function Level Access Control were merged into a new item: Broken Access Control.

Broken Access Control contains vulnerabilities that will allow attackers to gain access to unauthorized functionality and data such as other users accounts, files, access rights, and other sensitive information.

Two items from 2013's list were removed. Cross-Site Request Forgery (CSRF) and Unvalidated Redirects and Forwards (places 8 and 10 on the 2013 list) were scratched. CSRF vulnerability is found in only 5% of applications as many frameworks added CSRF mitigation and detection techniques. Unvalidated Redirects and Forwards is found in only 8% of applications and was edged out overall by XXE.

How to keep your applications and data safe

  1. Set goals and security requirements: Start with defining how your application should be secured. Ask yourself what needs to be taken into consideration, and what are the security tests that need to be performed.
  2. Design your security from the start: Instead of retrofitting security into your applications and APIs, it's recommended you design your security and build your application on top of it. OWASP recommends the OWASP Prevention Cheat Sheets as a starting point.
  3. Frameworks & open sources: Many modern frameworks come with a good set of security controls for authorization, validation and other security defenses. Based on your security needs, choose the frameworks and open sources that will meet your requirements.
  4. Security education: Developers should be trained constantly about web application development security standards. Developers should be up-to-date with new vulnerabilities that are found daily.
  5. Logging and monitoring: Be sure to always:
  • Audit events such as failed loggings and server side input validation errors;
  • Configure and log suspicious activities;
  • Generate all logs in one centralized log management solution to provide clear and into different systems;
  • Configure monitoring and alerting to provide fast response;
  • Establish an incident response and a recovery plan.

StackPath WAF helps you Build Safe for the web

StackPath WAF provides protection against most of the OWASP Top 10 vulnerabilities. Our sophisticated, next generation website security platform relies on your behaviors and reputations, and detects any malicious activity attempt. The real-time dashboard and event management screen enables you to get instant access to live information about your website traffic so you can view and analyze security events.

To learn more about OWASP Top 10 and what you need to do to keep your applications and user data safe, read the complete OWASP Top 10 – 2017 security risks document.

Start 15-day Trial

Every Secure Content Delivery Plan includes WAF and DDoS mitigation.

Choose plan