OWASP Top 10 2017 The Ten Most Critical Web Application Security Risks

SecuArk – Hyderabad, Telangana

Change has accelerated over the last four years, and the OWASP Top 10 needed to change. We’ve completely refactored the OWASP Top 10, revamped the methodology, utilized a new data call process, worked with the community, re-ordered our risks, rewritten each risk from the ground up, and added references to frameworks and languages that are now commonly used.

Over the last decade, and in particularly these last few years, the fundamental architecture of applications has changed significantly:

  • JavaScript is now the primary language of the web. node.js and modern web frameworks such as Bootstrap, Electron, Angular, React amongst many others, means source that was once on the server is now running on untrusted browsers.
  • Single page applications, written in JavaScript frameworks such as Angular and React, allow the creation of highly modular front end user experiences, not to mention the rise and rise of mobile apps using the same APIs as single page apps
  • Microservices written in node.js and Spring Boot are replacing older enterprise service bus applications using EJBs and so on. Old code that never expected to be communicated with directly from the Internet is now sitting behind an API or RESTful web service. The assumptions that underlie this code, such as trusted callers, are simply not valid.

New issues, supported by data

A4:2017 XML External Entity (XXE) is a new category primarily supported by SAST data sets. New issues, supported by the community We asked the community to provide insight into two forward looking weakness categories. After 516 peer submissions, and removing issues that were already supported by data (such as Sensitive Data Exposure and XXE), the two new issues are

  • A8:2017-Insecure Deserialization, responsible for one of the worst breaches of all time, and
  • A10:2017-Insufficient Logging and Monitoring, the lack of which can prevent or significantly delay malicious activity and breach detection, incident response and digital forensics.

At SecuArk we work together to find the right route to develop your skills and experience, nurturing your curious spirit to find new solutions for our customers and extend your own knowledge. We help you push the boundaries in a culture that gives you the freedom to innovate.

Each organization is unique, and so are the threat actors for that organization, their goals, and the impact of any breach. If a public interest organization uses a CMS for public information and a health system uses that same exact CMS for sensitive health records, the threat actors and business impacts are very different for the same exact software. It is critical that you apply your custom threat agents and business impacts based upon the data asset criticality.

Full Report Below