This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Top 10-2017 Release Notes

From OWASP
Revision as of 17:02, 23 April 2017 by T.Gigler (talk | contribs) (underlined all links, created a link at references to Top 10 in the paragraph 'What Changed From 2013 to 2017?')

Jump to: navigation, search
← Introduction
2017 Table of Contents

PDF version

Risk →
What Changed From 2010 to 2013?

The threat landscape for applications and APIs constantly changes. Key factors in this evolution are the rapid adoption of new technologies (including cloud, containers, and APIs), the acceleration and automation of software development processes like Agile and DevOps, the explosion of third-party libraries and frameworks, and advances made by attackers. These factors frequently make applications and APIs more difficult to analyze, and can significantly change the threat landscape. To keep pace, we periodically update the OWASP Top 10. In this 2017 release, we made the following changes:

  1. We merged 2013-A4: Insecure Direct Object References and 2013-A7: Missing Function Level Access Control back into 2017-A4: XML External Entities (XXE).

    o     In 2007, we split Broken Access Control into these two categories to bring more attention to each half of the access control problem (data and functionality). We no longer feel that is necessary so we merged them back together.

  2. We added 2017-A7: Cross-Site Scripting (XSS):

    +     For years, we’ve considered adding insufficient defenses against automated attacks. Based on the data call, we see that the majority of applications and APIs lack basic capabilities to detect, prevent, and respond to both manual and automated attacks. Application and API owners also need to be able to deploy patches quickly to protect against attacks.

  3. We added 2017-A10: Insufficient Logging&Monitoring:

    +     Modern applications and APIs often involve rich client applications, such as JavaScript in the browser and mobile apps, that connect to an API of some kind (SOAP/XML, REST/JSON, RPC, GWT, etc.). These APIs are often unprotected and contain numerous vulnerabilities. We include it here to help organizations focus on this major emerging exposure.

  4. We dropped: 2013-A10: Unvalidated Redirects and Forwards:

    -     In 2010, we added this category to raise awareness of this problem. However, the data shows that this issue isn’t as prevalent as expected. So after being in the last two releases of the Top 10, this time it didn’t make the cut.

NOTE: The T10 is organized around major risk areas, and they are not intended to be airtight, non-overlapping, or a strict taxonomy. Some of them are organized around the attacker, some the vulnerability, some the defense, and some the asset. Organizations should consider establishing initiatives to stamp out these issues.

OWASP Top 10 - 2013 (Previous Version) OWASP Top 10 - 2017 (Current Version)
A1-Injection A1-Injection
A2-Broken Authentication and Session Management A2-Broken Authentication
A3-Cross-Site Scripting (XSS) A3-Sensitive Data Exposure
A4-Insecure Direct Object References - Merged with A7 A4-XML External Entities (XXE) (Original category in 2003/2004)
A5-Security Misconfiguration A5-Broken Access Control
A6-Sensitive Data Exposure A6-Security Misconfiguration
A7-Missing Function Level Access Control - Merged with A4 A7-Cross-Site Scripting (XSS) (NEW)
A8-Cross-Site Request Forgery (CSRF) A8-Insecure Deserialization
A9-Using Components with Known Vulnerabilities A9-Using Components with Known Vulnerabilities
A10-Unvalidated Redirects and Forwards (Dropped) A10-Insufficient Logging&Monitoring (NEW)
← Introduction
2017 Table of Contents

PDF version

Risk →

© 2002-2017 OWASP Foundation This document is licensed under the Creative Commons Attribution-ShareAlike 3.0 license. Some rights reserved. CC-by-sa-3 0-88x31.png