This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Top 10-2017 Release Notes"
(Created page with "{{Top_10_2013:TopTemplate |usenext=2013NextLink |next={{Top_10:LanguageFile|text=risk|year=2017|language=en}} |useprev=2013PrevLink |prev={{Top_10:LanguageFile...") |
m (underlined all links, created a link at references to Top 10 in the paragraph 'What Changed From 2013 to 2017?') |
||
Line 15: | Line 15: | ||
we periodically update the OWASP Top 10. In this 2017 release, we made the following changes: | we periodically update the OWASP Top 10. In this 2017 release, we made the following changes: | ||
<ol> | <ol> | ||
− | <li>We merged 2013-A4: | + | <li>We merged <u>[[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A4-{{Top_10_2010:ByTheNumbers|4|language=en|year=2013}}|2013-A4: {{Top_10_2010:ByTheNumbers|4|language=en|year=2013}}]]</u> and <u>[[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A7-{{Top_10_2010:ByTheNumbers|7|language=en|year=2013}}|2013-A7: {{Top_10_2010:ByTheNumbers|7|language=en|year=2013}}]]</u> back into <u>[[{{Top_10:LanguageFile|text=documentRootTop10|year=2017|language=en}}-A4-{{Top_10_2010:ByTheNumbers|4|language=en|year=2017}}|2017-A4: {{Top_10_2010:ByTheNumbers|4|language=en|year=2017}}]]</u>. |
<p style="padding-left: 2em; text-indent: -2em;"> | <p style="padding-left: 2em; text-indent: -2em;"> | ||
o In 2007, we split Broken Access Control into these two categories to bring more attention to each half of the access | o In 2007, we split Broken Access Control into these two categories to bring more attention to each half of the access | ||
control problem (data and functionality). We no longer feel that is necessary so we merged them back together.</p> | control problem (data and functionality). We no longer feel that is necessary so we merged them back together.</p> | ||
</li></li> | </li></li> | ||
− | <li>We added 2017-A7: | + | <li>We added <u>[[{{Top_10:LanguageFile|text=documentRootTop10|year=2017|language=en}}-A7-{{Top_10_2010:ByTheNumbers|7|language=en|year=2017}}|2017-A7: {{Top_10_2010:ByTheNumbers|7|language=en|year=2017}}]]</u>: |
<p style="padding-left: 2em; text-indent: -2em;"> | <p style="padding-left: 2em; text-indent: -2em;"> | ||
+ For years, we’ve considered adding insufficient defenses against automated attacks. Based on the data call, we see that | + For years, we’ve considered adding insufficient defenses against automated attacks. Based on the data call, we see that | ||
Line 26: | Line 26: | ||
automated attacks. Application and API owners also need to be able to deploy patches quickly to protect against attacks.</p> | automated attacks. Application and API owners also need to be able to deploy patches quickly to protect against attacks.</p> | ||
</li></li> | </li></li> | ||
− | <li>We added 2017-A10: | + | <li>We added <u>[[{{Top_10:LanguageFile|text=documentRootTop10|year=2017|language=en}}-A10-{{Top_10_2010:ByTheNumbers|10|language=en|year=2017}}|2017-A10: {{Top_10_2010:ByTheNumbers|10|language=en|year=2017}}]]</u>: |
<p style="padding-left: 2em; text-indent: -2em;"> | <p style="padding-left: 2em; text-indent: -2em;"> | ||
+ Modern applications and APIs often involve rich client applications, such as JavaScript in the browser and mobile apps, | + Modern applications and APIs often involve rich client applications, such as JavaScript in the browser and mobile apps, | ||
Line 32: | Line 32: | ||
contain numerous vulnerabilities. We include it here to help organizations focus on this major emerging exposure.</p> | contain numerous vulnerabilities. We include it here to help organizations focus on this major emerging exposure.</p> | ||
</li></li> | </li></li> | ||
− | <li>We dropped: 2013-A10: | + | <li>We dropped: <u>[[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A10-{{Top_10_2010:ByTheNumbers|10|language=en|year=2013}}|2013-A10: {{Top_10_2010:ByTheNumbers|10|language=en|year=2013}}]]</u>: |
<p style="padding-left: 2em; text-indent: -2em;"> | <p style="padding-left: 2em; text-indent: -2em;"> | ||
- In 2010, we added this category to raise awareness of this problem. However, the data shows that this issue isn’t as | - In 2010, we added this category to raise awareness of this problem. However, the data shows that this issue isn’t as | ||
Line 50: | Line 50: | ||
! OWASP Top 10 - 2013 (Previous Version) !! OWASP Top 10 - 2017 (Current Version) | ! OWASP Top 10 - 2013 (Previous Version) !! OWASP Top 10 - 2017 (Current Version) | ||
|- style="background-color: #FFFFFF;" | |- style="background-color: #FFFFFF;" | ||
− | | [[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A1-{{Top_10_2010:ByTheNumbers|1|language=en|year=2013}}|A1-{{Top_10_2010:ByTheNumbers|1|language=en|year=2013}}]] | + | | <u>[[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A1-{{Top_10_2010:ByTheNumbers|1|language=en|year=2013}}|A1-{{Top_10_2010:ByTheNumbers|1|language=en|year=2013}}]]</u> |
− | | [[{{Top_10:LanguageFile|text=documentRootTop10|year=2017|language=en}}-A1-{{Top_10_2010:ByTheNumbers|1|language=en|year=2017}}|A1-{{Top_10_2010:ByTheNumbers|1|language=en|year=2017}}]] | + | | <u>[[{{Top_10:LanguageFile|text=documentRootTop10|year=2017|language=en}}-A1-{{Top_10_2010:ByTheNumbers|1|language=en|year=2017}}|A1-{{Top_10_2010:ByTheNumbers|1|language=en|year=2017}}]]</u> |
|- style="background-color: #FFFFFF;" | |- style="background-color: #FFFFFF;" | ||
− | | [[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A2-{{Top_10_2010:ByTheNumbers|2|language=en|year=2013}}|A2-{{Top_10_2010:ByTheNumbers|2|language=en|year=2013}}]] | + | | <u>[[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A2-{{Top_10_2010:ByTheNumbers|2|language=en|year=2013}}|A2-{{Top_10_2010:ByTheNumbers|2|language=en|year=2013}}]]</u> |
− | | [[{{Top_10:LanguageFile|text=documentRootTop10|year=2017|language=en}}-A2-{{Top_10_2010:ByTheNumbers|2|language=en|year=2017}}|A2-{{Top_10_2010:ByTheNumbers|2|language=en|year=2017}}]] | + | | <u>[[{{Top_10:LanguageFile|text=documentRootTop10|year=2017|language=en}}-A2-{{Top_10_2010:ByTheNumbers|2|language=en|year=2017}}|A2-{{Top_10_2010:ByTheNumbers|2|language=en|year=2017}}]]</u> |
|- style="background-color: #FFFFFF;" | |- style="background-color: #FFFFFF;" | ||
− | | [[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A3-{{Top_10_2010:ByTheNumbers|3|language=en|year=2013}}|A3-{{Top_10_2010:ByTheNumbers|3|language=en|year=2013}}]] | + | | <u>[[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A3-{{Top_10_2010:ByTheNumbers|3|language=en|year=2013}}|A3-{{Top_10_2010:ByTheNumbers|3|language=en|year=2013}}]]</u> |
− | | [[{{Top_10:LanguageFile|text=documentRootTop10|year=2017|language=en}}-A3-{{Top_10_2010:ByTheNumbers|3|language=en|year=2017}}|A3-{{Top_10_2010:ByTheNumbers|3|language=en|year=2017}}]] | + | | <u>[[{{Top_10:LanguageFile|text=documentRootTop10|year=2017|language=en}}-A3-{{Top_10_2010:ByTheNumbers|3|language=en|year=2017}}|A3-{{Top_10_2010:ByTheNumbers|3|language=en|year=2017}}]]</u> |
|- style="background-color: #F2F1FF;" | |- style="background-color: #F2F1FF;" | ||
− | | [[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A4-{{Top_10_2010:ByTheNumbers|4|language=en|year=2013}}|A4-{{Top_10_2010:ByTheNumbers|4|language=en|year=2013}}]] - Merged with A7 | + | | <u>[[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A4-{{Top_10_2010:ByTheNumbers|4|language=en|year=2013}}|A4-{{Top_10_2010:ByTheNumbers|4|language=en|year=2013}}]]</u> - Merged with A7 |
− | | [[{{Top_10:LanguageFile|text=documentRootTop10|year=2017|language=en}}-A4-{{Top_10_2010:ByTheNumbers|4|language=en|year=2017}}|A4-{{Top_10_2010:ByTheNumbers|4|language=en|year=2017}}]] (Original category in 2003/2004) | + | | <u>[[{{Top_10:LanguageFile|text=documentRootTop10|year=2017|language=en}}-A4-{{Top_10_2010:ByTheNumbers|4|language=en|year=2017}}|A4-{{Top_10_2010:ByTheNumbers|4|language=en|year=2017}}]]</u> (Original category in 2003/2004) |
|- style="background-color: #FFFFFF;" | |- style="background-color: #FFFFFF;" | ||
− | | [[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A5-{{Top_10_2010:ByTheNumbers|5|language=en|year=2013}}|A5-{{Top_10_2010:ByTheNumbers|5|language=en|year=2013}}]] | + | | <u>[[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A5-{{Top_10_2010:ByTheNumbers|5|language=en|year=2013}}|A5-{{Top_10_2010:ByTheNumbers|5|language=en|year=2013}}]]</u> |
− | | [[{{Top_10:LanguageFile|text=documentRootTop10|year=2017|language=en}}-A5-{{Top_10_2010:ByTheNumbers|5|language=en|year=2017}}|A5-{{Top_10_2010:ByTheNumbers|5|language=en|year=2017}}]] | + | | <u>[[{{Top_10:LanguageFile|text=documentRootTop10|year=2017|language=en}}-A5-{{Top_10_2010:ByTheNumbers|5|language=en|year=2017}}|A5-{{Top_10_2010:ByTheNumbers|5|language=en|year=2017}}]]</u> |
|- style="background-color: #FFFFFF;" | |- style="background-color: #FFFFFF;" | ||
− | | [[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A6-{{Top_10_2010:ByTheNumbers|6|language=en|year=2013}}|A6-{{Top_10_2010:ByTheNumbers|6|language=en|year=2013}}]] | + | | <u>[[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A6-{{Top_10_2010:ByTheNumbers|6|language=en|year=2013}}|A6-{{Top_10_2010:ByTheNumbers|6|language=en|year=2013}}]]</u> |
− | | [[{{Top_10:LanguageFile|text=documentRootTop10|year=2017|language=en}}-A6-{{Top_10_2010:ByTheNumbers|6|language=en|year=2017}}|A6-{{Top_10_2010:ByTheNumbers|6|language=en|year=2017}}]] | + | | <u>[[{{Top_10:LanguageFile|text=documentRootTop10|year=2017|language=en}}-A6-{{Top_10_2010:ByTheNumbers|6|language=en|year=2017}}|A6-{{Top_10_2010:ByTheNumbers|6|language=en|year=2017}}]]</u> |
|- style="background-color: #F2F1FF;" | |- style="background-color: #F2F1FF;" | ||
− | | [[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A7-{{Top_10_2010:ByTheNumbers|7|language=en|year=2013}}|A7-{{Top_10_2010:ByTheNumbers|7|language=en|year=2013}}]] - Merged with A4 | + | | <u>[[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A7-{{Top_10_2010:ByTheNumbers|7|language=en|year=2013}}|A7-{{Top_10_2010:ByTheNumbers|7|language=en|year=2013}}]]</u> - Merged with A4 |
− | | [[{{Top_10:LanguageFile|text=documentRootTop10|year=2017|language=en}}-A7-{{Top_10_2010:ByTheNumbers|7|language=en|year=2017}}|A7-{{Top_10_2010:ByTheNumbers|7|language=en|year=2017}}]] (NEW) | + | | <u>[[{{Top_10:LanguageFile|text=documentRootTop10|year=2017|language=en}}-A7-{{Top_10_2010:ByTheNumbers|7|language=en|year=2017}}|A7-{{Top_10_2010:ByTheNumbers|7|language=en|year=2017}}]]</u> (NEW) |
|- style="background-color: #FFFFFF;" | |- style="background-color: #FFFFFF;" | ||
− | | [[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A8-{{Top_10_2010:ByTheNumbers|8|language=en|year=2013}}|A8-{{Top_10_2010:ByTheNumbers|8|language=en|year=2013}}]] | + | | <u>[[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A8-{{Top_10_2010:ByTheNumbers|8|language=en|year=2013}}|A8-{{Top_10_2010:ByTheNumbers|8|language=en|year=2013}}]]</u> |
− | | [[{{Top_10:LanguageFile|text=documentRootTop10|year=2017|language=en}}-A8-{{Top_10_2010:ByTheNumbers|8|language=en|year=2017}}|A8-{{Top_10_2010:ByTheNumbers|8|language=en|year=2017}}]] | + | | <u>[[{{Top_10:LanguageFile|text=documentRootTop10|year=2017|language=en}}-A8-{{Top_10_2010:ByTheNumbers|8|language=en|year=2017}}|A8-{{Top_10_2010:ByTheNumbers|8|language=en|year=2017}}]]</u> |
|- style="background-color: #FFFFFF;" | |- style="background-color: #FFFFFF;" | ||
− | | [[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A9-{{Top_10_2010:ByTheNumbers|9|language=en|year=2013}}|A9-{{Top_10_2010:ByTheNumbers|9|language=en|year=2013}}]] | + | | <u>[[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A9-{{Top_10_2010:ByTheNumbers|9|language=en|year=2013}}|A9-{{Top_10_2010:ByTheNumbers|9|language=en|year=2013}}]]</u> |
− | | [[{{Top_10:LanguageFile|text=documentRootTop10|year=2017|language=en}}-A9-{{Top_10_2010:ByTheNumbers|9|language=en|year=2017}}|A9-{{Top_10_2010:ByTheNumbers|9|language=en|year=2017}}]] | + | | <u>[[{{Top_10:LanguageFile|text=documentRootTop10|year=2017|language=en}}-A9-{{Top_10_2010:ByTheNumbers|9|language=en|year=2017}}|A9-{{Top_10_2010:ByTheNumbers|9|language=en|year=2017}}]]</u> |
|- style="background-color: #F2F1FF;" | |- style="background-color: #F2F1FF;" | ||
− | | [[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A10-{{Top_10_2010:ByTheNumbers|10|language=en|year=2013}}|A10-{{Top_10_2010:ByTheNumbers|10|language=en|year=2013}}]] (Dropped) | + | | <u>[[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A10-{{Top_10_2010:ByTheNumbers|10|language=en|year=2013}}|A10-{{Top_10_2010:ByTheNumbers|10|language=en|year=2013}}]]</u> (Dropped) |
− | | [[{{Top_10:LanguageFile|text=documentRootTop10|year=2017|language=en}}-A10-{{Top_10_2010:ByTheNumbers|10|language=en|year=2017}}|A10-{{Top_10_2010:ByTheNumbers|10|language=en|year=2017}}]] (NEW) | + | | <u>[[{{Top_10:LanguageFile|text=documentRootTop10|year=2017|language=en}}-A10-{{Top_10_2010:ByTheNumbers|10|language=en|year=2017}}|A10-{{Top_10_2010:ByTheNumbers|10|language=en|year=2017}}]]</u> (NEW) |
|} | |} | ||
</center> | </center> |
Revision as of 17:02, 23 April 2017
What Changed From 2010 to 2013?
The threat landscape for applications and APIs constantly changes. Key factors in this evolution are the rapid adoption of new technologies (including cloud, containers, and APIs), the acceleration and automation of software development processes like Agile and DevOps, the explosion of third-party libraries and frameworks, and advances made by attackers. These factors frequently make applications and APIs more difficult to analyze, and can significantly change the threat landscape. To keep pace, we periodically update the OWASP Top 10. In this 2017 release, we made the following changes:
NOTE: The T10 is organized around major risk areas, and they are not intended to be airtight, non-overlapping, or a strict taxonomy. Some of them are organized around the attacker, some the vulnerability, some the defense, and some the asset. Organizations should consider establishing initiatives to stamp out these issues. |
OWASP Top 10 - 2013 (Previous Version) | OWASP Top 10 - 2017 (Current Version) |
---|---|
A1-Injection | A1-Injection |
A2-Broken Authentication and Session Management | A2-Broken Authentication |
A3-Cross-Site Scripting (XSS) | A3-Sensitive Data Exposure |
A4-Insecure Direct Object References - Merged with A7 | A4-XML External Entities (XXE) (Original category in 2003/2004) |
A5-Security Misconfiguration | A5-Broken Access Control |
A6-Sensitive Data Exposure | A6-Security Misconfiguration |
A7-Missing Function Level Access Control - Merged with A4 | A7-Cross-Site Scripting (XSS) (NEW) |
A8-Cross-Site Request Forgery (CSRF) | A8-Insecure Deserialization |
A9-Using Components with Known Vulnerabilities | A9-Using Components with Known Vulnerabilities |
A10-Unvalidated Redirects and Forwards (Dropped) | A10-Insufficient Logging&Monitoring (NEW) |