At a bare minimum, we need the time period, total number of applications tested in the dataset, and the list of CWEs and counts of how many applications contained that CWE. If at all possible, please provide the additional metadata, because that will greatly help us gain more insights into the current state of testing and vulnerabilities. To collect the most comprehensive dataset related to identified application vulnerabilities to-date to enable analysis for the Top 10 and other future research as well. This data should come from a variety of sources; security vendors and consultancies, bug bounties, along with company/organizational contributions.
Although I feel that a few of the changes are a little confusing to me, it’s not the case that I considered the 2013 list perfect either. Some items from 2013 were consolidated, specifically around access control. And other things were added, specifically #4 XML External Entities, #8 Insecure Deserialization, and #10 Insufficient Logging.
According to OWASP, the 2017 Top 10 represents the project’s biggest-ever community collaboration, resulting from more than 500 survey responses and ongoing feedback from those at the front line of the appsec industry. Now, my eyes (which think this list item isn’t great) are biased. As I’ve mentioned before (though not in this article) I mostly work on the web, and specifically in PHP. I’ve also only been doing web development for a little over five years, and largely in greenfield (new) projects. All of this comes together to mean that I’ve mostly never had to deal with XML much. What was interesting about it the 2017 update, to me, was that it went through a few different drafts, and finally did some data-analysis and polling.
“Injection” as a class of security flaw often gets shortened in my head to simply “SQL injection.” For the initiated, SQL is the language that relational databases like MySQL, Postgres, Microsoft SQL, etc speak. SQL Injection vulnerabilities come about when an unvalidated user-accessible field can have extra SQL queries like DROP TABLE users; put into the middle and executed by a database. The OWASP community is powered by security knowledgeable volunteers from corporations, educational organizations, and individuals from around the world. This community works to create freely-available articles, methodologies, documentation, tools, and technologies. The OWASP Foundation is a 501(c)(3) charitable organization that supports and manages OWASP projects and infrastructure. Similarly to the Top Ten 2017, we plan to conduct a survey to identify up to two categories of the Top Ten that the community believes are important, but may not be reflected in the data yet.
As someone who knows a lot about WordPress security, this one has a fond place in my heart. It’s almost certainly the most common cause of compromise in WordPress, because so many end-users don’t understand the importance of updating all their components. The OWASP document specifies that it’s possible with at least Java as well. Basic integrity checks and/or keeping the serialized format totally secure is smart. Officially, A3 “Sensitive Data Exposure” is shown in the OWASP Top Ten documentation as having moved down from a higher position it previously held on the 2013 list. But the title’s text is no where to be found on the previous list, and the only missing item is “Session Management” which doesn’t really apply here.
It is not the purpose of this training to discuss advanced and practical topics. Conviso has customized training and practical training platforms. Where people use native PHP serialization, and store that data in a place where a user could control or change it, they’re vulnerable. If, like me, you write a lot of PHP, you’ll need to keep this one in mind for a long time. The easy solution is to skip PHP native serialization and instead use a common format like JSON, which PHP doesn’t preform object-magic with.
You must build security into an entire application and its infrastructure to truly be safe from this concern, but then that feels rather appropriate to me. But writing hot takes is kind of unavoidable on the web, if I want to offer any value to people with shorter attention spans. For those who want all the details, please check out the official PDF from OWASP. If you’d like me to go into much more detail on any of them, please don’t hesitate to drop me a comment here. I admit that I don’t love that the majority of this post will be my hot takes on the OWASP Top Ten 2017. It’s a well-considered list and deserves a complete course rather than a quick summary.
By default, many older XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. … These flaws can be used to extract data, execute a remote request from the server, scan internal systems, perform a denial-of-service attack, as well as execute other attacks. If you have powerful administration accounts, and it’s relatively easy for an attacker to get access to those accounts, you’ve got a serious authentication issue. The rapid expansion of the attack surface is also accompanied, the attacker can always find a new attack surface. Within this context, after four years we once again usher in OWASP Top 10 update.
And so I don’t see this changing drastically in position until either tooling gets a lot better, or humans become much more concerned about this as a general security practice. Extensible Markup Language is nice little HTML-like language which is both (two sides of the same coin) quite verbose and descriptive. It’s been a industry standard, especially for “enterprise applications”, for over ten years, going through waves of popularity and hatred. Its seems to me that part of the reason for this to emerge relatively new and so high is that that the went into effect in May 2018, and that made some people take this whole question pretty seriously. The recommendation of “Don’t store sensitive data unnecessarily” is great advice, but it’s also one of the most common lessons people have taken from the GDPR. The advice contained here beyond that, of using good encryption algorithms and encrypting more data at rest are also quite good.
For the first time since 2013, the Open Web Application Security Project (OWASP) has updated its top 10 list of the most critical application security risks. According to OWASP, the 2017 OWASP Top 10 is a major update, with three new entries making the list, based on feedback from the AppSec community. Because the risks to applications are always evolving, The OWASP Top 10 list is revised each time to reflect these changes, along with the techniques and best practices for avoiding and remediating the vulnerabilities.