OWASP Top 10 2017: What changed from 2013 to 2017?
Finally, OWASP Top 10 2017 has been released after 4 years. As we know, OWASP stands for Open Web Application Security Project (OWASP); it is an online community, produces freely available articles, methodologies, documentation, tools, and technologies in the field of web application security. This article will see what the changes in the Top 10 vulnerabilities released by the OWASP are.
Three New Vulnerabilities Added
These new methodologies also introduce new risks and vulnerabilities. This time, OWASP 2017 added a new issue supported by data. As mentioned by OWASP, "A4:2017-XML External Entities (XXE) is a new category primarily supported by source code analysis security testing tools (SAST) data sets. The other two new issues added in OWASP 2017 are A8:2017-Insecure Deserialization, which permits remote code execution or sensitive object manipulation on affected platforms, and A10:2017-Insufficient Logging and Monitoring.
Two Vulnerabilities Merged into One
Some vulnerabilities in OWASP TOP 10 2013 have been merged in OWASP TOP 10 2017, and some have been retired from OWASP Top 10 2013. A4-Insecure Direct Object References and A7-Missing Function Level Access Control merged into A5:2017-Broken Access Control.
Two Vulnerabilities Removed
A8-Cross-Site Request Forgery (CSRF), removed from OWASP Top 10 2017, as now many frameworks include CSRF defenses, it was found in only 5% of applications as mentioned by OWASP in the official release. A10-Unvalidated Redirects and Forwards, also removed from OWASP Top 10 2017.
Now we summarize what are the changes in OWASP Top 10 2017.
- A1 Injection and A9 Using Components with Known Vulnerabilities remain intact in OWASP Top 10 2017.
- A2 Broken Authentication and Session Management name is slightly trim; now it is just Broken Authentication. Some vulnerabilities changed position in OWASP Top 10 2017.
- A3 Cross-Site Scripting now at the 7th position in OWASP Top 10 2017. A5 Security Misconfiguration is now at the 6th position.
- A6 Sensitive Data Exposure is now at the 3rd position in OWASP Top 10 2017. As discussed earlier, A8 Cross-site Request Forgery and A10 Unvalidated Redirects and Forward are removed from OWASP Top 10 2017.
- Some vulnerabilities in OWASP TOP 10 2013 have been merged in OWASP TOP 10 2017. A4-Insecure Direct Object References and A7-Missing Function Level Access Control merged into A5:2017-Broken Access Control.
- As discussed, this time, the three new issues which have been added in OWASP 2017 are A4:2017-XML External Entities (XXE), A8:2017-Insecure Deserialization, and A10:2017-Insufficient Logging&Monitoring.
Subscribe us to receive more such articles updates in your email.
If you have any questions, feel free to ask in the comments section below. Nothing gives me greater joy than helping my readers!
Disclaimer: This tutorial is for educational purpose only. Individual is solely responsible for any illegal act.