If you think the latest iteration of the Open Web Application Security Project’s Top Ten list of the “top” web application security risks has important news for your organization, well, you may be disappointed. And that’s fine because that’s not what the OWASP Top Ten is intended to do.
The 2017 edition of the OWASP Top Ten is quite like the 2013 version, which in turn was quite like the 2010 version, and so on, all the way back to the first version published in 2003 (see table). The new version is different, but the differences are evolutionary rather than revolutionary — and that’s fine, too.
The OWASP list isn’t meant to be a source of new and flashy security vulnerabilities; it’s a top ten list. That means it’s the top ten most basic risks that everyone should be aware of. It’s a list of the most important things to worry about in defending web applications — not the list of everything that information security professionals should worry about, just the bare minimum.
Use the OWASP Top Ten to stay safe
The OWASP Top Ten list should guide infosec pros in the same way hikers and backpackers are guided by their favorite version of the “ten essentials” lists for outdoor activities. There are minor differences between the lists — the Boy Scouts of America put a pocket knife at the top of their list, while the Appalachian Mountain Club starts its list with map and compass at number one — the goal of these lists is to define the minimum you need to stay safe if you get lost or injured in the woods.
If you want to avoid dying of hypothermia, you should carry extra clothes and, maybe, a tarp for emergency shelter. If you want to avoid dehydration, you should carry water. Do you want to avoid getting lost? Carry a map and compass. The advice is mostly the same in 2017 as it was in 1917.
Want to prevent hackers from pwning your web application? The advice in 2017 is, mostly, the same as it’s been for 15 years since the first edition of the OWASP Top Ten was published.
You can avoid injection attacks by validating input and parameters: Injection is at the top of the list as it has been since 2010; it went from #6 in 2003 to #2 in 2007.
Same for cross-site scripting, which debuted in the #4 spot in 2003 and went up to #1 in 2007 — but dropped to seventh place in 2017. That doesn’t mean it’s time to stop worrying about defending against XSS attacks, because as long as XSS is on the OWASP Top Ten list, it means it’s essential that you defend against them, for web app security.
No need to rank “essentials”
The order of the ten essentials lists for hikers doesn’t matter because they are ALL essential. The Boy Scouts list water at number five, but you won’t see a scout leaving water at home because it’s not as important as a first aid kit (#2).
The same should go for infosec pros looking to tighten up their web application security: the OWASP Top Ten lists the fundamentals. If you’re not addressing these things, the odds are that your web application won’t survive very long against even the least sophisticated attack.
“Yes, but there are lots of risks that were once listed on the OWASP Top Ten, and now they’re not,” you say? “What happened to buffer overflows and error handling, which were ranked at #5 and #7, respectively, in 2004?”
Even if an older risk has dropped off the OWASP list, it is still probably worth keeping it in mind. If I were an infosec professional, I’d keep the historical risks in mind, if only because most risks don’t disappear; instead, they evolve over time. Humans have been venturing into the wilderness for tens of thousands of years, so we have a pretty good idea of the risks there. Web app security is still in its infancy, so we probably don’t even yet know what the biggest risks are yet.
Meanwhile, defenders shouldn’t consider protecting against the OWASP Top Ten to be their goal — it should instead be the barrier to entry, in the same way that many trip leaders impose the requirement that all participants in their hikes must show up equipped with the ten essentials of hiking.