Injection remains appsec’s biggest threat in 2017

Following a lengthy gestation, the Open Web Application Security Project (OWASP) Top 10 is finally here. And while the de facto application security standard now includes three new categories, injection has maintained its position at the top of the risk chart in 2017.

The latest OWASP Top 10 represents the first update to the vulnerability ranking since 2013. According to the report’s authors, the amendments – which include the addition of XML External Entities (XXE), Insecure Deserialization, and Insufficient Logging and Monitoring – replace previous entries now deemed to be “relatively simple” security problems.

“Change has accelerated over the last four years, and the Top 10 needed to change,” OWASP said. “Over the last few years, the fundamental technology and architecture of applications has changed significantly.”

As in previous years, injection remained the top application security risk, followed by broken authentication. But there has been a shuffling in the ranking thereafter, due to the arrival of the three new vulnerabilities:

The project explained the incoming and outgoing risk elements in the 2017 Top 10:

New issues

A4:2017 – XML External Entities (XXE) is a new category primarily supported by source code analysis security testing tools
(SAST) data sets.

A8:2017 – Insecure Deserialization, which permits remote code execution or sensitive object manipulation on affected platforms.

A10:2017 – Insufficient Logging and Monitoring, the lack of which can prevent or significantly delay malicious activity and breach
detection, incident response, and digital forensics.

Merged or retired (but not forgotten)

A4 – Insecure Direct Object References and A7-Missing Function Level Access Control merged into A5:2017-Broken Access Control.

A8 – Cross-Site Request Forgery (CSRF), as many frameworks include CSRF defenses, it was found in only 5% of applications.

A10 – Unvalidated Redirects and Forwards, while found in approximately 8% of applications, it was edged out overall by XXE.

According to OWASP, the 2017 Top 10 represents the project’s biggest-ever community collaboration, resulting from more than 500 survey responses and ongoing feedback from those at the front line of the appsec industry.

Of course, many will remember the controversy generated by the draft Top 10 earlier this year, which called for the inclusion of a new entry at A7 titled ‘Insufficient Attack Protection’ – an addition that was roundly criticized by the netsec community and subsequently dropped from the list.

Hiccups aside, the OWASP Top 10 is now here. After taking clear steps to address this year’s controversy, the authors have hailed the 2017 vulnerability ranking as the “best sourced, most reviewed application security standard out there” – and it will be interesting to plot the report’s impact as it circulates around the industry.