I saw that a new OWASP Top 10 list was released, the first update since 2010. What has changed or been added in this update, and how should enterprises respond?
The 2013 OWASP Top 10 is based on risk data from eight firms that specialize in application security, with the list selected and prioritized based on prevalence and estimates of exploitability, detectability and impact. The list first appeared in 2003, and, unfortunately, this latest version is more or less the same as the 2010 version, bar a few changes to groupings and category names. Below are the two versions placed side by side for easy comparison.
2013 Top Ten
2010 Top Ten
|1||Injection flaws||Injection flaws|
|2||▲||Broken Authentication and Session Management||Cross-Site Scripting flaws|
|3||▼||Cross-Site Scripting flaws||Broken Authentication and Session Management|
|4||Insecure Direct Object References||Insecure Direct Object References|
|5||▲||Security Misconfiguration||Cross-Site Request Forgery|
|6||▲||Sensitive Data Exposure||Security Misconfiguration|
|7||Missing Function Level Access Control||Insecure Cryptographic Storage|
|8||▼||Cross-Site Request Forgery||Failure to Restrict URL Access|
|9||Using Components with Known Vulnerabilities||Insufficient Transport Layer Protection|
|10||Unvalidated Redirects and Forwards||Unvalidated Redirects and Forwards|
The OWASP Top 10 2013 category "Sensitive Data Exposure" is new and covers both 2010's "Insecure Cryptographic Storage" and "Insufficient Transport Layer Protection" categories. It is intended to focus attention on the need to identify sensitive data and ensure that it is encrypted both in motion and at rest. The new "Missing Function Level Access Control" category has a broader definition than the "Failure to Restrict URL Access" category that it replaces and highlights the fact that developers need to include access control checks before a function can be used. Many developers think that simply disabling a button or link will prevent its use, but an attacker can simply forge the required HTTP requests needed to invoke them.
"Using Components with Known Vulnerabilities" is a new entry, having previously been included in "Security Misconfiguration." It warrants its own entry, as many applications nowadays consist of hundreds of utilities and other components, many with known vulnerabilities. It may be quicker to reuse or buy code, but it should be verified as up to date and secure first.
Ask the expert
SearchSecurity expert Michael Cobb is standing by to answer your questions about enterprise application security and platform security. Submit your question via email. (All questions are anonymous.)
When looking at the vulnerabilities listed on the 2013 OWASP Top 10, it's disturbing to realize that they are cropping up more often, not less. SQL injection, for example, is an extremely well-documented threat, yet still remains prevalent, accounting for breaches that have compromised hundreds of millions of records. It seems that application security is just not considered to be as important as network security, even though vulnerabilities in applications are consistently being exploited by hackers of all types in order to access network resources and data. So where are things going wrong when it comes to application development?
My experience is that the key stakeholders in an application are still focused on look and feel first, usability second and then security if we're very lucky. Little security training is given to those overseeing or writing enterprise applications, while the unrealistic expectations of development times continue to limit the amount of security analysis and testing that can be achieved.
Enterprises need to make each new version of the OWASP Top 10 list compulsory reading for developers. It is a great awareness document that enterprises can use in cultivating a "security matters" culture. The list gives developers helpful guidance on how to eliminate or handle each vulnerability. There are numerous resources on the Internet that can be used to set a benchmark for coding practices, with perhaps the best known being Microsoft's Security Development Lifecycle. Microsoft also provides free tools to help teams create a more secure development process. Until such approaches to application development become commonplace, the vulnerabilities listed on the OWASP Top 10 in 2013 are likely to remain little changed when the next version is released.
This was first published in September 2013