New OWASP Top 10: My Thoughts

The OWASP (Open Web Application Security Project) foundation aims to improve software security through its community-led open-source software projects, hundreds of chapters worldwide, tens of thousands of members, and hosting local and global conferences. Out of the many different projects and events they do, the OWASP Top 10 is arguably their most famous project. 

The OWASP Top 10 is a document that ranks and describes the ten most critical web security risks. In this year’s version, their methodology changed and their overall outlook as well. They have moved away from naming specific vulnerabilities and more towards general categories. For example, Cross-Site Scripting (XSS) and XML External Entities (XXE) are no longer in the Top 10, instead, they have been moved to the more general categories of Injection and Security Misconfiguration. 

Mapping
2021 list compared to 2017 list

Initial Thoughts

My initial thoughts are similar to what Daniel Miessler highlighted in his blog post. His entire website is highly recommended, and you should consider signing up for his newsletter.

In summary, I believe that the OWASP Top 10 is going through an identity crisis. Initially, the project highlighted 10 “specific” vulnerabilities that developers and other security professionals needed to fix. However, the new OWASP Top 10 contains general and generic security risks except for the last one, Sever-Side Request Forgery (SSRF). They should have just decided to go all-in with either approach and not mixing categories with specific vulnerabilities.

I am ok with the future of the project being that of ALL categories. However, I do have a BIG issue with the addition of #4 Insecure Design. Many vulnerabilities belong to several of the new categories of the OWASP Top 10, but you can argue that all vulnerabilities belong to Insecure Design. 

In its description, the creators do admit that this is a broad category. They specifically say, “Insecure design is not the source for all other Top 10 risk categories. There is a difference between insecure design and insecure implementation.”

They argue that secure design can have implementation defects that have fixes. But an insecure design cannot be fixed by a perfect implementation. If that is the case, then Insecure Design should be #1 in the rankings or, what I think is a better solution, have it as another project/ranking.

The OWASP Top 10 is an important project that many use as an initial step when developing an AppSec program. Their move towards broad categories is their way to show people the areas they should focus on. It leaves the bulk of research and discovery for each vulnerability to the individual.

I do find a big plus in that companies now can’t throw on their marketing for the tools they offer “We cover all OWASP Top 10”. It always bothered me because there has never been a tool that can accurately find all OWASP Top 10 issues, even from the old versions.

I recommend visiting the new OWASP Top 10 website https://owasp.org/Top10/. It goes more in-depth on their methodology, changes, and the future of the project.