In case you missed it, the OWASP Foundation announced on April 27 that the planned 2020 release of the OWASP Top 10 Most Critical Web Application Security Risks was to be delayed. There were several reasons given for the delay, with the impact of the COVID-19 pandemic cited as the primary cause.
The OWASP Top 10 is the globally recognized standard awareness document that informs developers and web application security professionals about the most critical security risks to web applications. While there is disappointment with not getting a new Top 10 this fall, many of the risks identified in 2017 still apply today, and development teams can still take action.
According to OWASP, the pandemic has made it difficult to complete the steps required to produce the new Top 10. This includes scheduling the necessary collaborations to obtain data from organizations, performing the data science and analysis to determine the new Top 10, and obtaining the industry and media buy-in to drive awareness. The new release date is targeting the OWASP Global AppSec Days, to be held in Dublin, Ireland, February 15-19, 2021.
Looking ahead to the upcoming release, OWASP has provided some information about the methodology of the new Top 10. The OWASP team will continue to collect data from as many sources as possible, use evidence-based data science driven standards, remain community-driven and reviewed, and align with other key standards and CWEs (Common Weakness Enumerations). In addition, OWASP is improving its approach in several ways: enhancing its data science and community-driven qualitative process, allowing anonymous data submissions, and improving the look and feel of the presentation while providing more ways for consumption.
Until the release of the new Top 10 in 2021, the current 2017 version remains highly effective and relevant. One of the frustrations for those who work in Application Security is the stubbornness with which the same risks persist. For example:
- Between the 2013 and 2017 versions of the list, we saw only three new risks added: A4: XML External Entities, A8: Insecure Deserialization, and A10: Insufficient Logging and Monitoring.
- Injections, #1 on the 2017 list, has been on every version since the inception of the Top 10, and was also #1 in 2010 and 2013.
- Broken Authentication, #2 in 2017, has also been on every version of the list and was #2 in 2013.
- 2017’s A7: Cross-site Scripting has been included on every Top 10 list since 2003.
Based on the data breaches and incidents we have seen since the current list was published in 2017, we will most likely see many of these same risks appear on the 2021 version.
Did you find this article helpful? Learn more from the author! GLS’s Marina Kelly, author of this article, is a speaker at the Global AppSec 2020 Virtual conference. Tune into her presentation “Using the OWASP Top 10 As The Foundation for Security and Privacy Programs Across Your Organization.” Get details here.