Open Web Application Security Project: OWASP Top 10 2017 Project Update

The analysis of the data will be conducted with a careful distinction when the unverified data is part of the dataset that was analyzed. Bill Brenner is VP of Content Strategy at CyberRisk Alliance — an InfoSec content strategist, researcher, director, tech writer, blogger and community builder. By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy. As someone who knows a lot about WordPress security, this one has a fond place in my heart.

  • They’ve published the list since 2003, changing it through many iterations.
  • Skip the server racks and spin up a realistic environment with one click.
  • The reason for this is that it’s so often cited as a security vulnerability, the likelihood of people making mistakes that render their application vulnerable has declined a good deal.

Infosec Skills cyber ranges require no additional software, hardware or server space so your team can spend less time configuring environments and more time learning. Unlimited cyber range access is included in every Infosec Skills subscription so your team can skill up however they learn best. According to OWASP, the 2017 Top 10 represents the project’s biggest-ever community collaboration, resulting from more than 500 survey responses and ongoing feedback from those at the front line of the appsec industry. Irresponsibly, I also will cop to the fact that my understanding of the exploitability of this sort of vulnerability also never computed for me, especially relative to the amount it was talked about. I think it’s prior prominence had a lot to do with CSRF being a conveniently simple acronym.

OWASP Top Ten – 2021 Learning Path

What this means is one where even if a use submits known bad data, nothing bad can possibly happen via that method. All Infosec training maps directly to the NICE Workforce Framework for Cybersecurity to guide you from beginner to expert across 52 Work Roles. We plan to accept contributions to the new Top 10 from May to Nov 30, 2020 for data dating from 2017 to current. Plan to leverage the OWASP Azure Cloud Infrastructure to collect, analyze, and store the data contributed. There are three new categories, four categories with naming and scoping changes, and some consolidation in the Top 10 for 2021.

Because the process of reaching consensus is long and time consuming, the organization has averaged an update about every-three-years. This keeps it up-to-date, but stops it from being driven too strongly by the latest trends and obsessions of the industry. Also, would like to explore additional insights that could be gleaned from the contributed dataset to see what else can be learned that could be of use to the security and development communities. If at all possible, please provide core CWEs in the data, not CWE categories. This will help with the analysis, any normalization/aggregation done as a part of this analysis will be well documented.

Project Sponsors

The OWASP Top Ten list, as you might guess, is the ten most important things that OWASP think web application developers should be focused on to make sure that the web generally is secure. Globally recognized by developers as the first step towards more secure coding. “This is a really important step towards ‘shifting left’ as design is one of the elements OWASP Top 10 2017 Update Lessons that sits to the left of an application’s development lifecycle,” Wright added. One of the more valuable tools has been an Immersive Labs eBook that serves as a cheat sheet and delves deep into the meaning behind each item on the revised list . It’s been nearly 20 years since the Open Web Application Security Project (OWASP) was launched.

Its seems to me that part of the reason for this to emerge relatively new and so high is that that the  went into effect in May 2018, and that made some people take this whole question pretty seriously. The recommendation of “Don’t store sensitive data unnecessarily” is great advice, but it’s also one of the most common lessons people have taken from the GDPR. The advice contained here beyond that, of using good encryption algorithms and encrypting more data at rest are also quite good. Like #1, the OWASP #2 for 2017 is largely similar to the same item from 2013. Authentication is the way that an application knows who a user is.

About OWASP Top Ten – 2021

I’ve also only been doing web development for a little over five years, and largely in greenfield (new) projects. All of this comes together to mean that I’ve mostly never had to deal with XML much. Officially, A3 “Sensitive Data Exposure” is shown in the OWASP Top Ten documentation as having moved down from a higher position it previously held on the 2013 list. But the title’s text is no where to be found on the previous list, and the only missing item is “Session Management” which doesn’t really apply here. What was interesting about it the 2017 update, to me, was that it went through a few different drafts, and finally did some data-analysis and polling. It’s somewhere between possible and likely that this happened in the past, but because I was authoring WordPress Security with Confidence at the time, I paid much more careful attention to the whole process.

Data will be normalized to allow for level comparison between Human assisted Tooling and Tooling assisted Humans. Following a lengthy gestation, the Open Web Application Security Project (OWASP) Top 10 is finally here. And while the de facto application security standard now includes three new categories, injection has maintained its position at the top of the risk chart in 2017.


With the exception of the Injection category, which is quite broad, the other four are business logic or misuse flaws. If we compare the first list from 2003 with this year’s list, we can see that seven of the 10 items are still an issue in some shape or form. In a related blog post on the subject, Immersive Labs Principal Application Security Engineer Sean Wright noted that every single item from 2017 is still on the current list, either directly or combined in a new category. The basic idea that I feel the authors are going for here is that an application should have more auditible clarity for both users and its administrators about potential security issues it can make them aware of.

Some items from 2013 were consolidated, specifically around access control. And other things were added, specifically #4 XML External Entities, #8 Insecure Deserialization, and #10 Insufficient Logging. We will then examine Vulnerable and Outdated Components, Identification and Authentication Failures, Software and Data Integrity Failures, Security Logging and Monitoring Failures, and Server-Side Request Forgery (SSRF). After we complete our look at the current OWASP Top Ten, we will examine three very relevant security risks that were merged into larger topics in the OWASP Top Ten 2021 list. It’s still important to know the details of how these risks work. We will explore XML External Entities (XXE), Cross-Site Scripting (XSS) and Insecure Deserialization.


Deja una respuesta

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *