This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Top 10-2017 Release Notes
What changed from 2013 to 2017?
Change has accelerated over the last four years, and the OWASP Top 10 needed to change. We've completely refactored the OWASP Top 10, revamped the methodology, utilized a new data call process, worked with the community, re-ordered our risks, re-written each risk from the ground up, and added references to frameworks and languages that are now commonly used. Over the last few years, the fundamental technology and architecture of applications has changed significantly:
New issues, supported by data
New issues, supported by the communityWe asked the community to provide insight into two forward looking weakness categories. After over 500 peer submissions, and removing issues that were already supported by data (such as Sensitive Data Exposure and XXE), the two new issues are:
Merged or retired, but not forgotten
|
OWASP Top 10 - 2013 (Previous Version) | ⇒ | OWASP Top 10 - 2017 (Current Version) |
---|---|---|
A1-Injection | ⇒ | A1:2017-Injection |
A2-Broken Authentication and Session Management | ⇒ | A2:2017-Broken Authentication |
A3-Cross-Site Scripting (XSS) | ⇘ | A3:2017-Sensitive Data Exposure |
A4-Insecure Direct Object References - [Merged + A7] | ∪ | A4:2017-XML External Entities (XXE) [NEW] |
A5-Security Misconfiguration | ⇘ | A5:2017-Broken Access Control [Merged] |
A6-Sensitive Data Exposure | ⇗ | A6:2017-Security Misconfiguration |
A7-Missing Function Level Access Control - [Merged + A4] | ∪ | A7:2017-Cross-Site Scripting (XSS) |
A8-Cross-Site Request Forgery (CSRF) [Dropped] | ☒ | A8:2017-Insecure Deserialization [NEW, Community] |
A9-Using Components with Known Vulnerabilities | ⇒ | A9:2017-Using Components with Known Vulnerabilities |
A10-Unvalidated Redirects and Forwards [Dropped] | ☒ | A10:2017-Insufficient Logging&Monitoring [NEW, Community] |