We are almost halfway through 2017 and already it has proven a very interesting year for web security. Not only because we have experienced some remarkable cyber attacks – including the infamous WannaCry incident and the return of the Mirai malware – but mostly because the industry has demonstrated its ability and resolve to fight back.
It is well known by now that the WannaCry attack was in large part contained thanks to the efforts of a web security researcher and blogger who goes by the name MalwareTech, who discovered the malware’s kill switch and activated it. And perhaps in one of the most exemplary ways that demonstrate what the web security community can do when they work collectively, the OWASP Top Ten project is set to release an updated version of the famous web application security threats list in a couple of months – another reason why 2017 is indeed a noteworthy year, since this is the first update since 2013.
What is OWASP and why it matters
OWASP is frequently referenced by web security resources, but the concept behind it is perhaps not so often mentioned. The Open Web Application Security Project, or OWASP for short, was established in 2001 and is in essence a global community of security experts pooling together their knowledge and understanding of threats and countermeasures.
OWASP has evolved into a non-profit organization which operates on the principle of openness – anyone interested around the world may join as a member – and provides free resources for web security professionals to use. Arguably the most notable of these resources is the OWASP Top 10 Most Critical Web Application Security Risks, a list that reflects what are widely regarded as the most crucial threats out there, providing a description, examples, and guidance on how to address such risks. Most of these threats can be combated by resources such as a sophisticated web application firewall (WAF). A good firewall will protect against most critical web application security risks included in the Top 10, such as SQL injection, cross-site scripting (XSS), illegal resource access and remote file inclusion.
The OWASP Top 10 – 2017 Release Candidate
In April 2017, OWASP released their candidate list for the OWASP Top Ten – 2017, a process that takes place roughly every 3-4 years since it was first introduced in 2003. In the proposed list, we can see that 2013’s “A10 – Unvalidated Redirects and Forwards” was dropped from the list and that “A4 – Insecure Direct Object References” and “A7 – Missing Function Level Access Control” were merged to produce 2017’s candidate “A4 – Broken Access Control”. Furthermore, two new risks were added: “A7 – Insufficient Attack Protection” and “A10 – Underprotected APIs”.
With the public comment period end deadline looming in (currently set for June 30th), it is never too late to weigh in and contribute your feedback to the project. And in case you need some more information to make up your mind, do not forget that the OWASP resources are primarily meant as precisely that – a starting point to educate yourself and ensure that you stay properly protected.