OWASP Top 10 Vulnerabilities List is Changing

OWASP!!! RUN!!!!

OWASP is changing their TOP 10! Ok, so this really isn’t as serious as I thought, but, wait, what is that? IT IS!  Whether IPv4 or IPv6, common vulnerabilities can be found all over the place. OWASP, is finally updating their Top 10. So let’s look at some of the finer points.

2017 – Year of the change

This is a chart showing what the mapping for 2013 looked like for OWASP V.S. 2017 Mapping:

OWASP

OWASP 2013 v.s. 2017

SO….What changed?

According to Jeff Williams from Contrast Security:

“A7: Insufficient Attack Protection. This new requirement means that applications need to detect, prevent, and respond to both manual and automated attacks. No longer will attackers be prompted with “Invalid input, please try again.” Instead, anyone attempting attacks will have their attempts blocked and their account flagged.

A10: Underprotected APIs.  The use of APIs has exploded in modern software, to the point that even browser web applications are often written in Javascript and use APIs to get data. There is a huge variety of protocols and data formats used by these APIs, including SOAP/XML, REST/JSON, RPC, GWT, and many more. The complexity of these APIs makes them difficult for other tools to analyze and protect. This leads to a false sense of APIs security in many companies as their tools simply can’t see either vulnerabilities or attacks. “

What is this thing called risk?

From the OWASP released PDF:

“Only you know the specifics of your environment and your business. For any given application, there may not be a threat agent that can perform the relevant attack, or the technical impact may not make any difference to your business. Therefore, you should evaluate each risk for yourself, focusing on the threat agents, security controls, and business impacts in your enterprise.

We list Threat Agents as Application Specific, and Business Impacts as Application / Business Specific to indicate these are clearly dependent on the details about your application in your enterprise. The names of the risks in the Top 10 stem from the type of attack, the type of weakness, or the type of impact they cause. We chose names that accurately reflect the risks and, where possible, align with common terminology most likely to raise awareness.”

How does this affect me? Am I Vulnerable?

Yes and No.  For most people it will not affect they way that information security is done.  However if you are bound by PCI then there are troubled waters ahead. With the recent release of the DSS version 3.2, most PCI compliant companies are wrestling with the face that they now have to complete bi-annual penetration tests. This just adds another layer of complexity to the ether.  Now companies will have to take the new changes and adapt.

What can I do about it?

As always, we at Red Lion, preach: “DO THE BASICS”. That will ensure that you provide the appropriate amount of protection for what your business needs are.

Related Posts
Hackers aren’t all bad… $15k for Puerto Rico Recovery
NIST 800-171 requirements for contractors
%d bloggers like this: