Skip to main content

OWASP Top 10 2017

What is OWASP Top 10?

The Open Web Application Security Project (OWASP) is an open-source application security community whose goal is to spread awareness surrounding the security of applications, best known for releasing the industry standard OWASP Top 10.

The OWASP community is powered by security knowledgeable volunteers from corporations, educational organizations, and individuals from around the world. This community works to create freely-available articles, methodologies, documentation, tools, and technologies. The OWASP Foundation is a 501(c)(3) charitable organization that supports and manages OWASP projects and infrastructure.

Every few years, OWASP releases the OWASP Top 10, a list of the Top 10 most critical application security risks faced by developers and organizations, with a goal of helping developers and security teams better secure the applications they design and deploy. Because the risks to applications are always evolving, The OWASP Top 10 list is revised each time to reflect these changes, along with the techniques and best practices for avoiding and remediating the vulnerabilities.

What are the updates in OWASP Top 10 2017?

Added to the list:

  • A4: XXL External Entity (XXE) – provides guidance on how to identify and mitigate XXE flaws. Many old XML processors allow specification of any external entity, a URI that is de-referenced and evaluated during XML processing. XXE flaws are used to extract data, execute remote server requests, scan internal systems and perform denial of service attacks, etc.

  • A8: Insecure Deserialization - provides clear, actionable guidance for safely de-serializing untrusted application data. Deserialization flaws can lead to remote code execution attacks, one of the most serious attacks possible.

  • A10: Insufficient Logging and Monitoring – provides guidance on how to log and monitor applications to minimize risk. Attackers frequently rely on the lack of logging and monitoring to achieve their goals without being detected.

Removed from the list:

  • A8: Cross-Site Request Forgery (CSRF) – was removed since it represents less than 5% of vulnerabilities reported (dropped to #13).

  • A10: Unvalidated Redirects and Forwards – was removed since it represents less than 5% of vulnerabilities reported (dropped to #25).

Merged:

  • A4: Insecure Direct Object References and A7 Missing Function Level Access were merged into A5: Broken Access Control. Addresses weaknesses in access control due to anonymous attackers acting as users or administrators, using privileged functions, or creating, accessing, updating or deleting records.

How to update CxSAST to reflect these changes?

CxSAST version 8.4 and above

CxSAST version 8.5