Since its founding in 2001, the Open Web Application Security Project (OWASP) has become a leading resource for online security best practices. In particular, its list of the top 10 “Most Critical Web Application Security Risks” is a de facto application security standard.
The recently released 2017 edition of the OWASP Top 10 marks its first update since 2013 and reflects the changes in the fundamental architecture of applications seen in recent years. These include:
- Source code being run on untrusted browsers.
- The creation of modular front-end user experiences using single page and mobile apps.
- Microservices being written in node.js and Spring Boot.
- The shielding of old code behind API and RESTful web services.
At Imperva, we deal with the attack types detailed in the Top 10 on a daily basis. Here, we want to offer our thoughts on the list, including what we agreed with (the good), what we thought was lacking (the bad) and what we disagreed with (the ugly).
But first, let’s see what’s changed since the 2013 list was released.
What’s New About the 2017 Report?
OWASP’s 2017 report includes an updated threat/risk rating system comprised of such categories as exploitability, prevalence, detectability, as well as technical and business impacts.
The attacks outlined below represent the newest web application threats, as seen in the 2017 OWASP Top 10.
A4 — XML External Entity (XXE)
A new category primarily supported by SAST data sets, an XML External Entity (XXE) takes advantage of older or poorly-configured XML processors to upload hostile content in an XML document.
By exploiting processors’ vulnerable code, dependencies or integrations, perpetrators can initiate a remote request from the server, scan internal systems and launch denial-of-service (DoS) attacks. This can render any application accepting XML, or inserts into XML documents, vulnerable.
A8 — Insecure Deserialization
Deserialization, i.e., the extraction of data from a series of bytes, is a constantly occurring process between applications communicating with each other. Improperly secured deserialization can lead to remote code execution, replay attacks, injection attacks, privilege escalation attacks and more.
A10 — Insufficient Logging and Monitoring
Insufficient logging and monitoring, when combined with ineffective incident response, allows attackers to strengthen and prolong attack strategies, maintain their persistence, “pivot to more systems, and tamper, extract, or destroy data”.
To make room for these new editions, OWASP adjusted the following threats:
- Insecure direct object references and missing function level access control were merged into a new category called broken access control.
- CSRF was downgraded to number 13 on OWASP’s list of security threats.
- Invalidated redirects and forwards was downgraded to number 25.
Our Take on the 2017 Top 10
The 2017 OWASP Top 10 report contains a number of changes that we feel better reflect the current application threat landscape. That said, there are several points that could have been better explained as well as several missed opportunities to address additional application threats.
The 2017 Top 10 looks sharper than the 2013 version, in that it focuses more on trending topics and technologies.
A number of attacks listed in the 2013 report have since become less of an issue and were removed from the list with good reason. For example, less than five percent of data sets support CSRF today, while less than one percent support invalid redirects and forwards.
Meanwhile, new categories, such as XML external entity (XXE), insecure deserialization, as well as insufficient logging and monitoring allow for a better security posture against new kinds of attacks and threats, such as REST requests, API interactions and XML data transmissions.
There were several categories in the new Top 10 that weren’t described very well. In particular, injection is still too broad a topic and doesn’t add enough background to the types of injections to which vulnerable applications might be exposed.
Regarding “Unvalidated Redirects and Forwards”, which is also an input validation control and a highly probable XSS, we agree with its removal from the Top 10. That said, it’s still a prominent threat that should have been more explicitly mentioned or included as part of another control, and not just downgraded.
While we appreciate the addition of new controls into the Top 10, “insufficient logging and monitoring” doesn’t seem like it fits the bill.
In our opinion, the Top 10 should be focused on tangible controls that can prevent or minimize the risk of being exposed to a bug. A logging and monitoring solution is an important tool for web application security. That said, it’s a reactive control and doesn’t exactly fit with the other controls on the list, which are preventative.
Download a copy of our e-book “Protect Your Applications Against All OWASP Top 10 Risks” to find out how to you can protect your assets against these threats.
Do you agree with our analysis of the 2017 OWASP Top 10? Please let us know in the comments below.