OWASP Top 10 Vulnerabilities List is Changing
OWASP is changing their TOP 10! Ok, so this really isn’t as serious as I thought, but, wait, what is that? IT IS! Whether IPv4 or IPv6, common vulnerabilities can be found all over the place. OWASP, is finally updating their Top 10. So let’s look at some of the finer points.
2017 – Year of the change
This is a chart showing what the mapping for 2013 looked like for OWASP V.S. 2017 Mapping:
According to Jeff Williams from Contrast Security:
“A7: Insufficient Attack Protection. This new requirement means that applications need to detect, prevent, and respond to both manual and automated attacks. No longer will attackers be prompted with “Invalid input, please try again.” Instead, anyone attempting attacks will have their attempts blocked and their account flagged.
What is this thing called risk?
“Only you know the specifics of your environment and your business. For any given application, there may not be a threat agent that can perform the relevant attack, or the technical impact may not make any difference to your business. Therefore, you should evaluate each risk for yourself, focusing on the threat agents, security controls, and business impacts in your enterprise.
We list Threat Agents as Application Specific, and Business Impacts as Application / Business Specific to indicate these are clearly dependent on the details about your application in your enterprise. The names of the risks in the Top 10 stem from the type of attack, the type of weakness, or the type of impact they cause. We chose names that accurately reflect the risks and, where possible, align with common terminology most likely to raise awareness.”
How does this affect me? Am I Vulnerable?
Yes and No. For most people it will not affect they way that information security is done. However if you are bound by PCI then there are troubled waters ahead. With the recent release of the DSS version 3.2, most PCI compliant companies are wrestling with the face that they now have to complete bi-annual penetration tests. This just adds another layer of complexity to the ether. Now companies will have to take the new changes and adapt.
What can I do about it?
As always, we at Red Lion, preach: “DO THE BASICS”. That will ensure that you provide the appropriate amount of protection for what your business needs are.