OWASP Top Ten 2013

OWASP Top Ten is released every 3 years - this is the fourth release since 2004 launch. For researchers like myself responsible for building security analysis solutions, every release triggers an update to our vulnerability mappings to address the revisions.  It is, however, a small price to pay to keep things relevant and actionable in this evolving security landscape.

 

There are a few changes in this release candidate, which you can read the details here, but the only new category in this release is “2013-A9: Using Known Vulnerable Components.” And because of this, I think a new solution called “Application Patch Management” will be available in the future. Consider what we’ve been doing and doing pretty well in the past 10 years or so; we now have a well-defined and automatic way of patching servers and desktops. This is not just about end-users; contributions from major software vendors are also part of the solution.

 

Back to the application layer, the problems we are facing right now are very similar to what we were enduring 10 years ago: there is no quick and easy way to know if any of the 100+ libraries used in the application are vulnerable or not, and even if you know, developers may not be willing to upgrade the libraries because they worry the upgrade will break their applications. This is understandable because most framework vendors don’t provide a “fix-only” update - you may need to “upgrade” if you merely want the vulnerability fixed.

 

After all, I believe this is a good start as almost all real-world applications use 3rd party frameworks, and if these frameworks are vulnerable, your application is vulnerable too.  This threat is not fictitious; a recent study said 26% of libraries have known vulnerabilities so this should really be an item on your TODO list.

 

And finally, for those who want to see all changes of the OWASP Top Ten list from 2004 to 2013 in one single picture, here it is:

 

owasp_top10_2004_to_2013.png

 

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author
Featured


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.