The Open Web Application Security Project (OWASP) is now considered to be the industry standard methodology for web application security and penetration testing. With the OWASP Top 10 2017 being the minimum standard web applications should be tested against. The OWASP project is run by volunteers comprised of AppSec and security professionals such as penetration testers who are tasked with assessing web application security on a daily basis. Anyone connected with the OWASP projected understands the importance of the project and the difference it has made to web application security and the significant role it has to play in making the Internet a safer place to use.
OWASP Top 10 2017 - RC Release Date
On Monday the 23rd of April OWASP released the RC1 for the 2017 OWASP Top 10. The release candidate has two new proposals for two new web vulnerability categories. The two new categories are “unprotected APIs” and “insufficient attack detection and prevention”.
The way in which OWASP would be making room for the category “unprotected APIs” is by dropping “unvalidated redirects and forwards” This was the 10th item on the OWASP Top 10 for 2013 and “unvalidated redirects and forwards” originally made the OWASP Top 10 back in 2010.
The other new category, “insufficient attack protection category” has been added to position 7th of the OWASP top 10 for 2017. OWASP have essentially made room for the new vulnerability categeory by merging together the current 4th and 7th categories. The categories that OWASP have provisionally suggested within the 2017 RC1 are “insecure direct object references” and “missing function level access control.”
In addition to the categories merged above, the OWASP organization has also proposed the merger of two older categories in to “broken access control”. OWASP would like to revert back to how they had those categories structured back to the way it was all the way back in the year 2004.
In the case of description for insufficient attack protection, OWASP has provided the following description for vulnerability category:
“The majority of applications and APIs lack the basic ability to detect, prevent, and respond to both manual and automated attacks. Attack protection goes far beyond basic input validation and involves automatically detecting, logging, responding, and even blocking exploit attempts. Application owners also need to be able to deploy patches quickly to protect against attacks.”
Also, when a discussion was conducted on Reddit regarding this matter, several of the users said that “insufficient attack protection” should not be classified as a flaw. However, it would yet remain to be seen if enough of users would agree in order for OWASP to change its mind and thus create a new category.
Hence, it has become more important than ever before that application designers develop their products in a more careful and thoughtful manner. This is because the more unprotected these applications would be, the greater would be the threat to security. As a result, not only would the customers suffer by loss / breach of personal information, but the company’s brand would be damaged if the application gets breached or compromised by malicious users.
How To Test your Web Applications Against the OWASP Top 10
You might be wondering how to test your applications against the OWASP 10. The solution is penetration testing, it’s recommended to hire a dedicated 3rd party penetration testing company. A penetration tester will then perform what’s called a “web application penetration test”, sometimes called a web application security assessment. This type of penetration testing focuses primarily on the web application itself, an in depth assessment that uses the OWASP web application security testing methodology and performs an in depth analysis of your web application helping ensure that it’s not vulnerable to any web application vulnerabilities.
Please share this article if you found it useful and please follow us on Twitter for low noise notifications of our new posts.