The final version of the 2017 OWASP Top 10 has been released on Monday and some kinds of vulnerabilities that are not serious have been substituted with vulnerabilities that are more expected to pose a significant threat.
Many years ago, injection remained the top web application security vulnerability, but there has been some changing in the ranking, with the arrival of three new issues— Insecure Deserialization, XML External Entities (XXE) and Insufficient Logging&Monitoring.
The 2017 OWASP Top 10 vulnerabilities include the following:
-Injection
-Broken authentication
-Sensitive data exposure
-XML external entity (XXE)
-Broken access control
-Security misconfiguration
-Cross-site scripting (XSS)
-Insecure deserialization
-Using components with known vulnerabilities
-Insufficient logging and monitoring
According to OWASP:
Two key differentiators from previous OWASP Top 10 releases are the substantial community feedback and extensive data assembled from dozens of organizations, possibly the largest amount of data ever assembled in the preparation of an application security standard. This provides us with confidence that the new OWASP Top 10 addresses the most impactful application security risks currently facing organizations.
Cross-site request forgery issue has been removed from the list because most of the development frameworks guarantee that such vulnerabilities are avoided, which make CSRF issue seen in less than 5% of applications. Unvalidated redirects and forwards have also been removed as they affect only around 8% of apps.
The Open Web Application Security Project (OWASP) will begin working on the next Top 10, which has been scheduled for 2020.
