Monday, November 27, 2017

New OWASP Top 10 (2017) - What is NEW and final state?

Here is the view on top 10 from OWASP



Resource on OWASP - Get it from HERE
  • Injections are still on the top. It makes sense since lot of attack vectors are leveraging poor validation controls. It leads to injections like SQLi, Command injections etc, and are still very common across applications.
  • Broken authentication is still a very common issue, it is very easy to discover by human intelligence and sometimes difficult from automated scanner standpoint. But this control is still holding second position on the list.
  • XSS used to be higher in the list but now moved to seventh position. There are several frameworks in place, which gives protection against it. Also, browsers are having controls to defend against XSS. But still XSS is very common and easy to discover across applications.
  • NEW (XXE) – XXE attack is added to the list, it is not very common but still XML streaming can be injected and can cause potential danger for the application. It allows lower level access on the box. Hence, it is added and important to detect and protect.
  • MERGED - Insecure Object and Missing Access Control are merged and added as a “Broken Access Control”. Again, it is very common at truly application layer. It is relatively easy to detect by humans and get missed by crawlers/scanners at large.
  • Security Misconfiguration and Using Known Vulnerable components are major issues from deployment/framework standpoint. It allows possible exploitations by default before developers build up code on top of it. Hence, both of them are having place in the top stack.
  • NEW (Insecure Deserialization) – HTTP is now supporting object level of streaming and it is imperative to serialize/de-serialize objects. It opens up a set of vulnerabilities and very effective attacks can be created using streams like JSON.
  • NEW (Insufficient Monitoring/Logging) – Application layer doesn’t have logging and it allows attacks to go unnoticed. Hence, even though this is not an attack category but still added so developers start providing mechanism for logging across applications.
  • DROPPED - CSRF and Unvalidated Redirects are dropped from the list. We still see them very commonly around applications but some protections are coming at framework layer and seems they are moved out.