The Open Web Application Security Project (OWASP) has revised its list of the ten most dangerous application security risks. This is first-time OWASP, one of the leading authorities on cybersecurity, has changed the list since 2013.
Countless companies use the OWASP Top 10 to develop their application security (AppSec) procedures, so these changes are significant.
“Change has accelerated over the last four years, and the OWASP Top 10 needed to change,” it says in the report.
“We’ve completely refactored the OWASP Top 10,” it continues. “[We’ve] revamped the methodology, utilized a new data call process, worked with the community, re-ordered our risks, rewritten each risk from the ground up, and added references to frameworks and languages that are now commonly used.”
OWASP developed the new report using feedback gathered from a broad spectrum of the AppSec community.
The updated list includes three new entries representing a major re-think of what constitutes a critical security risk today.
Incidentally, it took two attempts for OWASP to finalize the updated list. When the organization released version one in April 2017, it was not received well.
So, OWASP was forced to go back to the drawing board. And, after putting forward a new draft in August, and requesting feedback, OWASP confirmed version two in November 2017
What’s New For 2017?
The biggest threats in the OWASP Top 10 are at the top of the list. But, the most significant difference to the 2017 list is the addition of three new risk factors.
XML External Entities (XXE)
XML External Entities is ranked at number four on the 2017 list replacing Insecure Direct Object References. The latter has been merged with Missing Function Level Access Control to create a new factor, Broken Access Control.
XXE is dangerous when combined with poorly configured XML processors used to evaluate external entity references in XML documents.
Several attacks such as remote code executions and the disclosure of internal files, use external entities.
At number eight on the list is Insecure Deserialization, when attackers take advantage of flaws in an application’s deserialization process. These vulnerabilities allow cybercriminals to carry out denial-of-service (DoS) attacks, elevate privileges and tamper with serialized objects.
Insecure Deserialization replaced Cross-Site Request Forgery which has now been dropped from the list.
Insufficient Logging and Monitoring
Insufficient Logging and Monitoring came in at number 10 on this year’s list. It took the place of Unvalidated Redirects and Forwards which is no longer in the Top 10.
When the process of logging and integration with security incident response systems isn’t running correctly hackers move in. Consequently, attackers can switch between networks and threaten applications for weeks or even months on end.
And The Rest?
According to OWASP, Injection flaws remain the number one threat to application security.
SQL, NoSQL, OS, and LDAP and other injections occur when hacker’s send hostile data to a site. The data is sent as a command or a query.
This tricks the interpreter into approving unwanted commands revealing classified data to an unauthorized source.
At number two on the list is Broken Authentication. This threat replaces Broken Authentication and Session Management and covers an app’s inability to authenticate users and manage sessions correctly.
Broken authentication allows attackers to take over the identity of another user. This is done using a range of tools including compromised passwords, keys and session tokens.
Sensitive Data Exposure
Taking the place of Cross-Site Scripting at number three, Sensitive Data Exposure refers to the danger posed when web apps and APIs fail to sufficiently protect sensitive data, particularly during transit.
Hackers take advantage of this lax security to steal information and conduct criminal acts like identity theft and card fraud.
Broken Access Control
Broken Access Control takes the number five spot replacing the merged category Security Misconfiguration.
The threat of Broken Access Control centers on a scenario where restrictions and permissions aren’t enforced correctly. Cybercriminals take advantage of this weakness and alter, steal and manipulate data on vulnerable user’s accounts.
At number six is Security Misconfiguration, which replaces Sensitive Data Exposure from the 2013 list.
According to OWASP, “Security misconfiguration is the most commonly seen issue.” The problem is related to poor management of security configurations on operating systems, existing frameworks, libraries, and apps.
Cross-Site Scripting (XSS)
Moving from number three, Cross-Site Scripting replaces Missing Function Level Access Control as the seventh biggest threat to app security.
An XSS flaw occurs if an app incorporates untrusted data in a new web page without properly validating it first.
Attackers can exploit this vulnerability to piggyback user sessions, vandalize websites or force users to head to malicious sites.
Using Components With Known Vulnerabilities
Using Components with Known Vulnerabilities remains at number nine. Essentially, any app or API using a component with a known vulnerability opens the floodgates to hackers.
How Can We Help?
Gold Security has all the tools you need to guard against the threats outlined in OWASP’s Top 10.
We provide exceptional online security services to our clients using state-of-the-art security systems to detect vulnerabilities. We uncover and fix any issues before hackers have an opportunity to attack your site.
Don’t fall victim to any of the threats in OWASP’s Top 10 list. Get in touch today for a no-obligation quote.