OWASP Top 10 2017: What changed from 2013 to 2017?
Finally, OWASP Top 10 2017 has been released after 4 years. As we know, OWASP stands for Open Web Application Security Project (OWASP); it is an online community, produces freely available articles, methodologies, documentation, tools, and technologies in the field of web application security. This article will see what the changes in the Top 10 vulnerabilities released by the OWASP are.
There are a lot of changes in web application development in the last 4 years. Developers have adopted many new methodologies. As mentioned by OWASP, Microservices written in node.js and Spring Boot are replacing traditional monolithic applications. Single-page applications, written in JavaScript frameworks such as Angular and React, allow creating highly modular feature-rich front ends. Client-side functionality that has traditionally been delivered server-side brings its own security challenges. JavaScript is now the primary language of the web with node.js running server-side and modern web frameworks such as Bootstrap, Electron, Angular, and React running on the client."
Three New Vulnerabilities Added
These new methodologies also introduce new risks and vulnerabilities. This time, OWASP 2017 added a new issue supported by data. As mentioned by OWASP, "A4:2017-XML External Entities (XXE) is a new category primarily supported by source code analysis security testing tools (SAST) data sets. The other two new issues added in OWASP 2017 are A8:2017-Insecure Deserialization, which permits remote code execution or sensitive object manipulation on affected platforms, and A10:2017-Insufficient Logging and Monitoring.
Two Vulnerabilities Merged into One
Some vulnerabilities in OWASP TOP 10 2013 have been merged in OWASP TOP 10 2017, and some have been retired from OWASP Top 10 2013. A4-Insecure Direct Object References and A7-Missing Function Level Access Control merged into A5:2017-Broken Access Control.
Two Vulnerabilities Removed
A8-Cross-Site Request Forgery (CSRF), removed from OWASP Top 10 2017, as now many frameworks include CSRF defenses, it was found in only 5% of applications as mentioned by OWASP in the official release. A10-Unvalidated Redirects and Forwards, also removed from OWASP Top 10 2017.
Now we summarize what are the changes in OWASP Top 10 2017.
- A1 Injection and A9 Using Components with Known Vulnerabilities remain intact in OWASP Top 10 2017.
- A2 Broken Authentication and Session Management name is slightly trim; now it is just Broken Authentication. Some vulnerabilities changed position in OWASP Top 10 2017.
- A3 Cross-Site Scripting now at the 7th position in OWASP Top 10 2017. A5 Security Misconfiguration is now at the 6th position.
- A6 Sensitive Data Exposure is now at the 3rd position in OWASP Top 10 2017. As discussed earlier, A8 Cross-site Request Forgery and A10 Unvalidated Redirects and Forward are removed from OWASP Top 10 2017.
- Some vulnerabilities in OWASP TOP 10 2013 have been merged in OWASP TOP 10 2017. A4-Insecure Direct Object References and A7-Missing Function Level Access Control merged into A5:2017-Broken Access Control.
- As discussed, this time, the three new issues which have been added in OWASP 2017 are A4:2017-XML External Entities (XXE), A8:2017-Insecure Deserialization, and A10:2017-Insufficient Logging&Monitoring.
References:
https://www.owasp.org
Subscribe us to receive more such articles updates in your email.
If you have any questions, feel free to ask in the comments section below. Nothing gives me greater joy than helping my readers!
Disclaimer: This tutorial is for educational purpose only. Individual is solely responsible for any illegal act.