In case you missed it, the OWASP Foundation announced on April 27 that the planned 2020 release of the OWASP Top 10 Most Critical Web Application Security Risks was to be delayed. There were several reasons given for the delay, with the impact of the COVID-19 pandemic cited as the primary cause.
The OWASP Top 10 is the globally recognized standard awareness document that informs developers and web application security professionals about the most critical security risks to web applications. While there is disappointment with not getting a new Top 10 this fall, many of the risks identified in 2017 still apply today, and development teams can still take action.
According to OWASP, the pandemic has made it difficult to complete the steps required to produce the new Top 10. This includes scheduling the necessary collaborations to obtain data from organizations, performing the data science and analysis to determine the new Top 10, and obtaining the industry and media buy-in to drive awareness. The new release date is targeting the OWASP Global AppSec Days, to be held in Dublin, Ireland, February 15-19, 2021.
Looking ahead to the upcoming release, OWASP has provided some information about the methodology of the new Top 10. The OWASP team will continue to collect data from as many sources as possible, use evidence-based data science driven standards, remain community-driven and reviewed, and align with other key standards and CWEs (Common Weakness Enumerations). In addition, OWASP is improving its approach in several ways: enhancing its data science and community-driven qualitative process, allowing anonymous data submissions, and improving the look and feel of the presentation while providing more ways for consumption.
Until the release of the new Top 10 in 2021, the current 2017 version remains highly effective and relevant. One of the frustrations for those who work in Application Security is the stubbornness with which the same risks persist. For example:
- Between the 2013 and 2017 versions of the list, we saw only three new risks added: A4: XML External Entities, A8: Insecure Deserialization, and A10: Insufficient Logging and Monitoring.
- Injections, #1 on the 2017 list, has been on every version since the inception of the Top 10, and was also #1 in 2010 and 2013.
- Broken Authentication, #2 in 2017, has also been on every version of the list and was #2 in 2013.
- 2017’s A7: Cross-site Scripting has been included on every Top 10 list since 2003.
Based on the data breaches and incidents we have seen since the current list was published in 2017, we will most likely see many of these same risks appear on the 2021 version.
Ways to safeguard your organization while waiting for the 2021 OWASP Top 10
- It is important that you continue to educate staff on the current OWASP Top 10 – 2017. Above all, the Top 10 is an awareness piece, the bare minimum your development teams should address to improve application security. The risks identified in 2017 remain an issue today. With the earliest release date for the new list being mid-February 2021 (which is not set in stone and may still slip), failure to continue to educate and raise awareness of the current 2017 version of the list puts your applications, your data, and your clients at risk.
- Secure coding does not happen by chance. Provide your development teams with on-going technical training in the OWASP Top 10 – 2017 using real-life scenarios.
- Stay up-to-date on the latest data breaches and security incidents and share these with your development teams so they are alerted to risks they may need to investigate and remediate in their code.
- Follow the OWASP Top 10 team on Twitter for the latest updates on the new Top 10.
Did you find this article helpful? Learn more from the author! GLS’s Marina Kelly, author of this article, is a speaker at the Global AppSec 2020 Virtual conference. Tune into her presentation “Using the OWASP Top 10 As The Foundation for Security and Privacy Programs Across Your Organization.” Get details here.