The Open Web Application Security Project (OWASP) is a popular non-profit community that provides guidance and tools to help organizations build and maintain secure web applications. Every three to four years, OWASP releases a document titled the OWASP Top 10, in which they detail the ten most critical risks associated with web application security. This week, OWASP released their first release candidate for the 2017 OWASP Top 10, which will replace the 2013 edition of the same report. While the final document, due sometime this summer, will likely contain a few minor revisions, the primary recommendations should remain the same.
Of the ten risks from the 2013 OWASP Top 10, two are being merged and one is being removed entirely to make room for two new additions. Back in 2007, OWASP split the Broken Access Control risk category into two new categories, Insecure Direct Object References and Missing Functional Level Access Control. As part of the changes to the 2017 document, these two categories are merged back into the original Broken Access Control. Additionally, OWASP is removing the #10 risk from the 2013 report, Unvalidated Redirects and Forwards.
The merge and removal in the 2017 report has freed up space for the addition of two entirely new risk categories. The first new risk, Insufficient Attack Protection suggests that many attacks are quite noisy in terms of the abnormal network traffic and inputs generated during their execution. Popular vulnerability scanners particularly generate a high volume of unusual requests. In response to this risk, OWASP recommends implementing a Web Application Firewall (WAF) or Intrusion Prevention System (IPS) to detect and respond to unexpected traffic.
The second new addition to the Top 10 comes in at number 10, and highlights the risk associated with unprotected Application Program Interfaces (APIs). In the description, OWASP points out that APIs are often difficult to test for vulnerabilities because they lack a User Interface (UI) and use complex protocols and data structures for communications. In one of their example attack scenarios, OWASP describes attack where a banking app doesn’t validate the account number sent in a request, allowing an attacker to modify a different user’s account using different credentials. Interestingly, this is the same type of vulnerability found and responsibly disclosed during WatchGuard Threat Lab’s ongoing IoT research project earlier this year. OWASP recommends several responses to this risk, including authenticating and securing communications to your API and hardening the API against attack.
The OWASP Top 10 remains one of the best resources to consult when implementing and testing web application security. Those responsible for securing their organization’s web applications should be familiar with the recommendations in the document. –Marc Laliberte