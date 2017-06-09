Latest OWASP Top 10 looks at APIs, web apps

The new OWASP Top 10 list is out, and while most of it remains the same, there are new additions focusing on web applications and APIs.

To make room for the new items, a couple of older ones were either removed or merged into new items.

The fact that the list hasn't changed much since its first release in 2003 is both good and bad, said Jeff Williams, CTO and co-founder at Contrast Security.

Williams worked on the first OWASP Top 10, and was the chair of OWASP from 2003 to 2011.

"It's good that the threats aren't changing that much," he said. "If they were changing dramatically, it would be a lot harder to keep up. This is like the devil we know."

On the other hand, the list also shows that companies are having problems dealing with the most basic of problems.

"It's still amazing to me that we're still struggling with SQL injections and cross-site scripting," he said. "We should be able to stamp them out, but we're not. We're not making any progress at all."

This edition of the list is based on new research, with data from more than 40 industry partners, covering more than 50,000 applications and a total of 2.3 million vulnerabilities.

"On average, across all the 50,000 applications that were part of this study, we saw 20.5 vulnerabilities per app," he said. "That's a stupendous number. Everyone should be outraged by that number. We need to do better, we can do better. These are well-known, well understood problems and they're not complicated to fix if you set your mind to it."

The research looked at what vulnerabilities were still common, and still critical to security, and adds items that reflect the move towards high-speed software development.

To make room for the new items that focus on protecting APIs and web applications, two items about access controls were combined, and undocumented redirects and forwards were dropped off the list because it wasn't all that dangerous.

"It's never been one of the most serious risks," he said. "At worst, it would redirect someone to a URL they didn't want to go to. But it's not hard to do that anyway. You don't need a special vulnerability to trick someone into clicking a link."

The two new items that were added were a bit controversial, because they aren't actually the same kind of vulnerabilities as the other items on the list.

Take insufficient attack protections for web applications.

"We're in 2017, and most applications will still let you attack them forever," he said. "They'll just say, 'We didn't understand your request, please try again.' It's not the hardest thing in the world to detect obvious attacks and block them. We need applications to defend themselves a little bit."

