This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Top 10-2017 Release Notes"

From OWASP
Jump to: navigation, search
m (T.Gigler moved page Top 10 2017-Release Notes to Top 10-2017 Release Notes: Prepare OWASP Top 10-2017 Release)
m (deleted space to BottomAdvancedTemplate)
 
(2 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
{{Top_10_2013:TopTemplate
 
{{Top_10_2013:TopTemplate
    |usenext=2013NextLink
+
     |useprev=2017PrevLink
    |next={{Top_10:LanguageFile|text=risk|year=2017|language=en}}
 
     |useprev=2013PrevLink
 
 
     |prev={{Top_10:LanguageFile|text=introduction|year=2017|language=en}}
 
     |prev={{Top_10:LanguageFile|text=introduction|year=2017|language=en}}
 +
    |usenext=2017NextLink
 +
    |next={{Top_10:LanguageFile|text=applicationSecurityRisks|year=2017|language=en}}
 
     |year=2017
 
     |year=2017
 
     |language=en
 
     |language=en
 
}}
 
}}
 +
<!--- RN Release Notes --->
 +
{{Top_10:SubsectionTableBeginTemplate|type=main}}{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=freetext|position=firstWhole|title=What changed from 2013 to 2017?|year=2017|language=en}}
 +
Change has accelerated over the last four years, and the OWASP Top 10 needed to change. We've completely refactored the OWASP Top 10, revamped the methodology, utilized a new data call process, worked with the community, re-ordered our risks, re-written each risk from the ground up, and added references to frameworks and languages that are now commonly used.
 +
Over the last few years, the fundamental technology and architecture of applications has changed significantly:
 +
* Microservices written in node.js and Spring Boot are replacing traditional monolithic applications. Microservices come with their own security challenges including establishing trust between microservices, containers, secret management, etc. Old code never expected to be accessible from the Internet is now sitting behind an API or RESTful web service to be consumed by Single Page Applications (SPAs) and mobile applications. Architectural assumptions by the code, such as trusted callers, are no longer valid.
 +
* Single page applications, written in JavaScript frameworks such as Angular and React, allow the creation of highly modular feature-rich front ends. Client-side functionality that has traditionally been delivered server-side brings its own security challenges.
 +
* JavaScript is now the primary language of the web with node.js running server side and modern web frameworks such as Bootstrap, Electron, Angular, and React running on the client.
  
{{Top_10:SubsectionTableBeginTemplate|type=main}}{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=freetext|position=firstWhole|title={{Top_10:LanguageFile|text=whatChangedFrom2010to2013|year=2017|language=en}}|width=100%|year=2017|language=en}}
+
===New issues, supported by data===
The threat landscape for applications and APIs constantly changes. Key factors in this evolution are the rapid adoption of new
+
* <b><u>[[{{Top_10:LanguageFile|text=documentRootTop10New|year=2017|language=en}}_A4-{{Top_10_2010:ByTheNumbers|4|language=en|year=2017}}|A4:2017-{{Top_10_2010:ByTheNumbers|4|language=en|year=2017}}]]</u></b> is a new category primarily supported by (<u>[[Source_Code_Analysis_Tools|source code analysis security testing tools]]</u> (SAST) data sets.
technologies (including cloud, containers, and APIs), the acceleration and automation of software development processes like
 
Agile and DevOps, the explosion of third-party libraries and frameworks, and advances made by attackers. These factors
 
frequently make applications and APIs more difficult to analyze, and can significantly change the threat landscape. To keep pace,
 
we periodically update the OWASP Top 10. In this 2017 release, we made the following changes:
 
<ol>
 
<li>We merged <u>[[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A4-{{Top_10_2010:ByTheNumbers|4|language=en|year=2013}}|2013-A4: {{Top_10_2010:ByTheNumbers|4|language=en|year=2013}}]]</u> and <u>[[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A7-{{Top_10_2010:ByTheNumbers|7|language=en|year=2013}}|2013-A7: {{Top_10_2010:ByTheNumbers|7|language=en|year=2013}}]]</u> back into <u>[[{{Top_10:LanguageFile|text=documentRootTop10|year=2017|language=en}}-A4-{{Top_10_2010:ByTheNumbers|4|language=en|year=2017}}|2017-A4: {{Top_10_2010:ByTheNumbers|4|language=en|year=2017}}]]</u>.
 
<p style="padding-left: 2em; text-indent: -2em;">
 
o&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;In 2007, we split Broken Access Control into these two categories to bring more attention to each half of the access
 
control problem (data and functionality). We no longer feel that is necessary so we merged them back together.</p>
 
</li></li>
 
<li>We added <u>[[{{Top_10:LanguageFile|text=documentRootTop10|year=2017|language=en}}-A7-{{Top_10_2010:ByTheNumbers|7|language=en|year=2017}}|2017-A7: {{Top_10_2010:ByTheNumbers|7|language=en|year=2017}}]]</u>:
 
<p style="padding-left: 2em; text-indent: -2em;">
 
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;For years, we’ve considered adding insufficient defenses against automated attacks. Based on the data call, we see that
 
the majority of applications and APIs lack basic capabilities to detect, prevent, and respond to both manual and
 
automated attacks. Application and API owners also need to be able to deploy patches quickly to protect against attacks.</p>
 
</li></li>
 
<li>We added <u>[[{{Top_10:LanguageFile|text=documentRootTop10|year=2017|language=en}}-A10-{{Top_10_2010:ByTheNumbers|10|language=en|year=2017}}|2017-A10: {{Top_10_2010:ByTheNumbers|10|language=en|year=2017}}]]</u>:
 
<p style="padding-left: 2em; text-indent: -2em;">
 
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Modern applications and APIs often involve rich client applications, such as JavaScript in the browser and mobile apps,
 
that connect to an API of some kind (SOAP/XML, REST/JSON, RPC, GWT, etc.). These APIs are often unprotected and
 
contain numerous vulnerabilities. We include it here to help organizations focus on this major emerging exposure.</p>
 
</li></li>
 
<li>We dropped: <u>[[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A10-{{Top_10_2010:ByTheNumbers|10|language=en|year=2013}}|2013-A10: {{Top_10_2010:ByTheNumbers|10|language=en|year=2013}}]]</u>:
 
<p style="padding-left: 2em; text-indent: -2em;">
 
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;In 2010, we added this category to raise awareness of this problem. However, the data shows that this issue isn’t as
 
prevalent as expected. So after being in the last two releases of the Top 10, this time it didn’t make the cut.
 
</p>
 
</li></li>
 
</ol>
 
NOTE: The T10 is organized around major risk areas, and they are not intended to be airtight, non-overlapping, or a strict
 
taxonomy. Some of them are organized around the attacker, some the vulnerability, some the defense, and some the
 
asset. Organizations should consider establishing initiatives to stamp out these issues.
 
  
 +
===New issues, supported by the community===
 +
We asked the community to provide insight into two forward looking weakness categories. After over 500 peer submissions, and removing issues that were already supported by data (such as Sensitive Data Exposure and XXE), the two new issues are: 
 +
* <b><u>[[{{Top_10:LanguageFile|text=documentRootTop10New|year=2017|language=en}}_A8-{{Top_10_2010:ByTheNumbers|8|language=en|year=2017}}|A8:2017-{{Top_10_2010:ByTheNumbers|8|language=en|year=2017}}]]</u></b>, which permits remote code execution or sensitive object manipulation on affected platforms.
 +
* <b><u>[[{{Top_10:LanguageFile|text=documentRootTop10New|year=2017|language=en}}_A10-{{Top_10_2010:ByTheNumbers|10|language=en|year=2017}}|A10:2107-{{Top_10_2010:ByTheNumbers|10|language=en|year=2017}}]]</u></b>, the lack of which can prevent or significantly delay malicious activity and breach detection, incident response, and digital forensics.
 +
 +
===Merged or retired, but not forgotten===
 +
* <b><u>[[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A4-{{Top_10_2010:ByTheNumbers|4|language=en|year=2013}}|A4-{{Top_10_2010:ByTheNumbers|4|language=en|year=2013}}]]</u></b> and <b><u>[[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A7-{{Top_10_2010:ByTheNumbers|7|language=en|year=2013}}|A7-{{Top_10_2010:ByTheNumbers|7|language=en|year=2013}}]]</u></b> merged into <b><u>[[{{Top_10:LanguageFile|text=documentRootTop10New|year=2017|language=en}}_A5-{{Top_10_2010:ByTheNumbers|5|language=en|year=2017}}|A5:2017-{{Top_10_2010:ByTheNumbers|5|language=en|year=2017}}]]</u></b>.
 +
* <b><u>[[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A8-{{Top_10_2010:ByTheNumbers|8|language=en|year=2013}}|A8-{{Top_10_2010:ByTheNumbers|8|language=en|year=2013}}]]</u></b>, as many frameworks include <u>[[Cross-Site_Request_Forgery_(CSRF)|CSRF defenses]]</u>, it was found in only 5% of applications.
 +
* <b><u>[[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A10-{{Top_10_2010:ByTheNumbers|10|language=en|year=2013}}|A10-{{Top_10_2010:ByTheNumbers|10|language=en|year=2013}}]]</u></b>, while found in approximately in 8% of applications, it was edged out overall by XXE.
 
{{Top_10:SubsectionTableEndTemplate}}
 
{{Top_10:SubsectionTableEndTemplate}}
  
 
<center>
 
<center>
{| style="width: 99%; align:center; text-align:center; border: 2px solid #4a1647; background-color:#F2F2F2; padding=2;"  
+
{| style="width: 99%; align:center; text-align:left; border: 2px solid #4a1647; background-color:#F2F2F2; padding=2;"  
|- style="background-color: #4a1647; color: #FFFFFF;"
+
|- style="background-color: #4a1647; color: #FFFFFF; text-align:center;"
! OWASP Top 10 - 2013 (Previous Version) !! OWASP Top 10 - 2017 (Current Version)
+
! OWASP Top 10 - 2013 (Previous Version) !! <b>&rArr;</b> !! OWASP Top 10 - 2017 (Current Version)
 
|- style="background-color: #FFFFFF;"  
 
|- style="background-color: #FFFFFF;"  
 
| <u>[[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A1-{{Top_10_2010:ByTheNumbers|1|language=en|year=2013}}|A1-{{Top_10_2010:ByTheNumbers|1|language=en|year=2013}}]]</u>
 
| <u>[[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A1-{{Top_10_2010:ByTheNumbers|1|language=en|year=2013}}|A1-{{Top_10_2010:ByTheNumbers|1|language=en|year=2013}}]]</u>
| <u>[[{{Top_10:LanguageFile|text=documentRootTop10|year=2017|language=en}}-A1-{{Top_10_2010:ByTheNumbers|1|language=en|year=2017}}|A1-{{Top_10_2010:ByTheNumbers|1|language=en|year=2017}}]]</u>
+
| style="font-size:120%; text-align:center;" | <b>&rArr;</b>
 +
| <u>[[{{Top_10:LanguageFile|text=documentRootTop10New|year=2017|language=en}}_A1-{{Top_10_2010:ByTheNumbers|1|language=en|year=2017}}|A1:2017-{{Top_10_2010:ByTheNumbers|1|language=en|year=2017}}]]</u>
 
|- style="background-color: #FFFFFF;"  
 
|- style="background-color: #FFFFFF;"  
 
| <u>[[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A2-{{Top_10_2010:ByTheNumbers|2|language=en|year=2013}}|A2-{{Top_10_2010:ByTheNumbers|2|language=en|year=2013}}]]</u>
 
| <u>[[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A2-{{Top_10_2010:ByTheNumbers|2|language=en|year=2013}}|A2-{{Top_10_2010:ByTheNumbers|2|language=en|year=2013}}]]</u>
| <u>[[{{Top_10:LanguageFile|text=documentRootTop10|year=2017|language=en}}-A2-{{Top_10_2010:ByTheNumbers|2|language=en|year=2017}}|A2-{{Top_10_2010:ByTheNumbers|2|language=en|year=2017}}]]</u>
+
| style="font-size:120%; text-align:center;" | <b>&rArr;</b>
 +
| <u>[[{{Top_10:LanguageFile|text=documentRootTop10New|year=2017|language=en}}_A2-{{Top_10_2010:ByTheNumbers|2|language=en|year=2017}}|A2:2017-{{Top_10_2010:ByTheNumbers|2|language=en|year=2017}}]]</u>
 
|- style="background-color: #FFFFFF;"  
 
|- style="background-color: #FFFFFF;"  
 
| <u>[[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A3-{{Top_10_2010:ByTheNumbers|3|language=en|year=2013}}|A3-{{Top_10_2010:ByTheNumbers|3|language=en|year=2013}}]]</u>
 
| <u>[[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A3-{{Top_10_2010:ByTheNumbers|3|language=en|year=2013}}|A3-{{Top_10_2010:ByTheNumbers|3|language=en|year=2013}}]]</u>
| <u>[[{{Top_10:LanguageFile|text=documentRootTop10|year=2017|language=en}}-A3-{{Top_10_2010:ByTheNumbers|3|language=en|year=2017}}|A3-{{Top_10_2010:ByTheNumbers|3|language=en|year=2017}}]]</u>
+
| style="font-size:120%; text-align:center;" | <b>&#8664;</b> <!--- decreased risk --->
 +
| <u>[[{{Top_10:LanguageFile|text=documentRootTop10New|year=2017|language=en}}_A3-{{Top_10_2010:ByTheNumbers|3|language=en|year=2017}}|A3:2017-{{Top_10_2010:ByTheNumbers|3|language=en|year=2017}}]]</u>
 
|- style="background-color: #F2F1FF;"  
 
|- style="background-color: #F2F1FF;"  
| <u>[[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A4-{{Top_10_2010:ByTheNumbers|4|language=en|year=2013}}|A4-{{Top_10_2010:ByTheNumbers|4|language=en|year=2013}}]]</u> - Merged with A7
+
| <u>[[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A4-{{Top_10_2010:ByTheNumbers|4|language=en|year=2013}}|A4-{{Top_10_2010:ByTheNumbers|4|language=en|year=2013}}]]</u> - [Merged + A7]
| <u>[[{{Top_10:LanguageFile|text=documentRootTop10|year=2017|language=en}}-A4-{{Top_10_2010:ByTheNumbers|4|language=en|year=2017}}|A4-{{Top_10_2010:ByTheNumbers|4|language=en|year=2017}}]]</u> (Original category in 2003/2004)
+
| style="font-size:120%; text-align:center; background-color: #FFFFFF;" | <b>&cup;</b> <!--- merged --->
 +
| <u>[[{{Top_10:LanguageFile|text=documentRootTop10New|year=2017|language=en}}_A4-{{Top_10_2010:ByTheNumbers|4|language=en|year=2017}}|A4:2017-{{Top_10_2010:ByTheNumbers|4|language=en|year=2017}}]]</u> [NEW]
 
|- style="background-color: #FFFFFF;"  
 
|- style="background-color: #FFFFFF;"  
 
| <u>[[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A5-{{Top_10_2010:ByTheNumbers|5|language=en|year=2013}}|A5-{{Top_10_2010:ByTheNumbers|5|language=en|year=2013}}]]</u>
 
| <u>[[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A5-{{Top_10_2010:ByTheNumbers|5|language=en|year=2013}}|A5-{{Top_10_2010:ByTheNumbers|5|language=en|year=2013}}]]</u>
| <u>[[{{Top_10:LanguageFile|text=documentRootTop10|year=2017|language=en}}-A5-{{Top_10_2010:ByTheNumbers|5|language=en|year=2017}}|A5-{{Top_10_2010:ByTheNumbers|5|language=en|year=2017}}]]</u>
+
| style="font-size:120%; text-align:center;" | <b>&#8664;</b> <!--- decreased risk --->
 +
| style="background-color: #F2F1FF;" | <u>[[{{Top_10:LanguageFile|text=documentRootTop10New|year=2017|language=en}}_A5-{{Top_10_2010:ByTheNumbers|5|language=en|year=2017}}|A5:2017-{{Top_10_2010:ByTheNumbers|5|language=en|year=2017}}]]</u> [Merged]
 
|- style="background-color: #FFFFFF;"  
 
|- style="background-color: #FFFFFF;"  
 
| <u>[[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A6-{{Top_10_2010:ByTheNumbers|6|language=en|year=2013}}|A6-{{Top_10_2010:ByTheNumbers|6|language=en|year=2013}}]]</u>
 
| <u>[[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A6-{{Top_10_2010:ByTheNumbers|6|language=en|year=2013}}|A6-{{Top_10_2010:ByTheNumbers|6|language=en|year=2013}}]]</u>
| <u>[[{{Top_10:LanguageFile|text=documentRootTop10|year=2017|language=en}}-A6-{{Top_10_2010:ByTheNumbers|6|language=en|year=2017}}|A6-{{Top_10_2010:ByTheNumbers|6|language=en|year=2017}}]]</u>
+
| style="font-size:120%; text-align:center;" | <b>&#8663;</b> <!--- increased risk --->
 +
| <u>[[{{Top_10:LanguageFile|text=documentRootTop10New|year=2017|language=en}}_A6-{{Top_10_2010:ByTheNumbers|6|language=en|year=2017}}|A6:2017-{{Top_10_2010:ByTheNumbers|6|language=en|year=2017}}]]</u>
 +
|- style="background-color: #FFFFFF;"
 +
| style="background-color: #F2F1FF;" | <u>[[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A7-{{Top_10_2010:ByTheNumbers|7|language=en|year=2013}}|A7-{{Top_10_2010:ByTheNumbers|7|language=en|year=2013}}]]</u> - [Merged + A4]
 +
| style="font-size:120%; text-align:center;" | <b>&cup;</b><!--- merged --->
 +
| <u>[[{{Top_10:LanguageFile|text=documentRootTop10New|year=2017|language=en}}_A7-{{Top_10_2010:ByTheNumbers|7|language=en|year=2017}}|A7:2017-{{Top_10_2010:ByTheNumbers|7|language=en|year=2017}}]]</u>  
 
|- style="background-color: #F2F1FF;"  
 
|- style="background-color: #F2F1FF;"  
| <u>[[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A7-{{Top_10_2010:ByTheNumbers|7|language=en|year=2013}}|A7-{{Top_10_2010:ByTheNumbers|7|language=en|year=2013}}]]</u> - Merged with A4
+
| <u>[[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A8-{{Top_10_2010:ByTheNumbers|8|language=en|year=2013}}|A8-{{Top_10_2010:ByTheNumbers|8|language=en|year=2013}}]]</u> [Dropped]
| <u>[[{{Top_10:LanguageFile|text=documentRootTop10|year=2017|language=en}}-A7-{{Top_10_2010:ByTheNumbers|7|language=en|year=2017}}|A7-{{Top_10_2010:ByTheNumbers|7|language=en|year=2017}}]]</u> (NEW)
+
| style="font-size:120%; text-align:center; background-color: #FFFFFF;" | <b>&#9746;</b> <!--- dropped risk --->
|- style="background-color: #FFFFFF;"  
+
| <u>[[{{Top_10:LanguageFile|text=documentRootTop10New|year=2017|language=en}}_A8-{{Top_10_2010:ByTheNumbers|8|language=en|year=2017}}|A8:2017-{{Top_10_2010:ByTheNumbers|8|language=en|year=2017}}]]</u> [NEW, Community]
| <u>[[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A8-{{Top_10_2010:ByTheNumbers|8|language=en|year=2013}}|A8-{{Top_10_2010:ByTheNumbers|8|language=en|year=2013}}]]</u>
 
| <u>[[{{Top_10:LanguageFile|text=documentRootTop10|year=2017|language=en}}-A8-{{Top_10_2010:ByTheNumbers|8|language=en|year=2017}}|A8-{{Top_10_2010:ByTheNumbers|8|language=en|year=2017}}]]</u>
 
 
|- style="background-color: #FFFFFF;"  
 
|- style="background-color: #FFFFFF;"  
 
| <u>[[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A9-{{Top_10_2010:ByTheNumbers|9|language=en|year=2013}}|A9-{{Top_10_2010:ByTheNumbers|9|language=en|year=2013}}]]</u>
 
| <u>[[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A9-{{Top_10_2010:ByTheNumbers|9|language=en|year=2013}}|A9-{{Top_10_2010:ByTheNumbers|9|language=en|year=2013}}]]</u>
| <u>[[{{Top_10:LanguageFile|text=documentRootTop10|year=2017|language=en}}-A9-{{Top_10_2010:ByTheNumbers|9|language=en|year=2017}}|A9-{{Top_10_2010:ByTheNumbers|9|language=en|year=2017}}]]</u>
+
| style="font-size:120%; text-align:center;" | <b>&rArr;</b>
 +
| <u>[[{{Top_10:LanguageFile|text=documentRootTop10New|year=2017|language=en}}_A9-{{Top_10_2010:ByTheNumbers|9|language=en|year=2017}}|A9:2017-{{Top_10_2010:ByTheNumbers|9|language=en|year=2017}}]]</u>
 
|- style="background-color: #F2F1FF;"  
 
|- style="background-color: #F2F1FF;"  
| <u>[[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A10-{{Top_10_2010:ByTheNumbers|10|language=en|year=2013}}|A10-{{Top_10_2010:ByTheNumbers|10|language=en|year=2013}}]]</u> (Dropped)
+
| <u>[[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A10-{{Top_10_2010:ByTheNumbers|10|language=en|year=2013}}|A10-{{Top_10_2010:ByTheNumbers|10|language=en|year=2013}}]]</u> [Dropped]
| <u>[[{{Top_10:LanguageFile|text=documentRootTop10|year=2017|language=en}}-A10-{{Top_10_2010:ByTheNumbers|10|language=en|year=2017}}|A10-{{Top_10_2010:ByTheNumbers|10|language=en|year=2017}}]]</u> (NEW)
+
| style="font-size:120%; text-align:center; background-color: #FFFFFF;" | <b>&#9746;</b> <!--- dropped risk --->
|}
+
| <u>[[{{Top_10:LanguageFile|text=documentRootTop10New|year=2017|language=en}}_A10-{{Top_10_2010:ByTheNumbers|10|language=en|year=2017}}|A10:2017-{{Top_10_2010:ByTheNumbers|10|language=en|year=2017}}]]</u> [NEW, Community]
</center>
+
|}
{{Top_10_2013:BottomTemplate
+
</center> {{Top_10_2013:BottomAdvancedTemplate
  |usenext=2013NextLink
+
    |type=text
  |next={{Top_10:LanguageFile|text=risk|year=2017|language=en}}
+
    |useprev=2017PrevLink
  |useprev=2013PrevLink
+
    |prev={{Top_10:LanguageFile|text=introduction|year=2017|language=en}}
  |prev={{Top_10:LanguageFile|text=introduction|year=2017|language=en}}
+
    |usenext=2017NextLink
  |year=2017
+
    |next={{Top_10:LanguageFile|text=applicationSecurityRisks|year=2017|language=en}}
  |language=en
+
    |year=2017
 +
    |language=en
 
}}
 
}}
 +
 +
<!-- [[Category:OWASP Top Ten Project]] -->

Latest revision as of 12:21, 4 February 2018

← Introduction
2017 Table of Contents

PDF version

Application Security Risks →
What changed from 2013 to 2017?

Change has accelerated over the last four years, and the OWASP Top 10 needed to change. We've completely refactored the OWASP Top 10, revamped the methodology, utilized a new data call process, worked with the community, re-ordered our risks, re-written each risk from the ground up, and added references to frameworks and languages that are now commonly used. Over the last few years, the fundamental technology and architecture of applications has changed significantly:

  • Microservices written in node.js and Spring Boot are replacing traditional monolithic applications. Microservices come with their own security challenges including establishing trust between microservices, containers, secret management, etc. Old code never expected to be accessible from the Internet is now sitting behind an API or RESTful web service to be consumed by Single Page Applications (SPAs) and mobile applications. Architectural assumptions by the code, such as trusted callers, are no longer valid.
  • Single page applications, written in JavaScript frameworks such as Angular and React, allow the creation of highly modular feature-rich front ends. Client-side functionality that has traditionally been delivered server-side brings its own security challenges.
  • JavaScript is now the primary language of the web with node.js running server side and modern web frameworks such as Bootstrap, Electron, Angular, and React running on the client.

New issues, supported by data

New issues, supported by the community

We asked the community to provide insight into two forward looking weakness categories. After over 500 peer submissions, and removing issues that were already supported by data (such as Sensitive Data Exposure and XXE), the two new issues are: 

Merged or retired, but not forgotten

OWASP Top 10 - 2013 (Previous Version) OWASP Top 10 - 2017 (Current Version)
A1-Injection A1:2017-Injection
A2-Broken Authentication and Session Management A2:2017-Broken Authentication
A3-Cross-Site Scripting (XSS) A3:2017-Sensitive Data Exposure
A4-Insecure Direct Object References - [Merged + A7] A4:2017-XML External Entities (XXE) [NEW]
A5-Security Misconfiguration A5:2017-Broken Access Control [Merged]
A6-Sensitive Data Exposure A6:2017-Security Misconfiguration
A7-Missing Function Level Access Control - [Merged + A4] A7:2017-Cross-Site Scripting (XSS)
A8-Cross-Site Request Forgery (CSRF) [Dropped] A8:2017-Insecure Deserialization [NEW, Community]
A9-Using Components with Known Vulnerabilities A9:2017-Using Components with Known Vulnerabilities
A10-Unvalidated Redirects and Forwards [Dropped] A10:2017-Insufficient Logging&Monitoring [NEW, Community]
← Introduction
2017 Table of Contents

PDF version

Application Security Risks →

© 2002-2017 OWASP Foundation This document is licensed under the Creative Commons Attribution-ShareAlike 3.0 license. Some rights reserved. CC-by-sa-3 0-88x31.png