The new release of the OWASP Top 10 list is out for public comment from the Open Web Application Security Project, and while most of it remains the same there are a couple of new additions, focusing on protections for web applications and APIs.
To make room for the new items, a couple of older ones were either removed or merged into new items.
The fact that the list hasn't changed much since its first release in 2003 is both good and bad, said Jeff Williams, CTO and co-founder at Contrast Security.
Williams worked on the first OWASP Top 10, and was the chair of OWASP from 2003 to 2011.
"It's good that the threats aren't changing that much," he said. "If they were changing dramatically, it would be a lot harder to keep up. This is like the devil we know."
On the other hand, the list also shows that companies are having problems dealing with the most basic of problems.
"It's still amazing to me that we're still struggling with SQL injections and cross-site scripting," he said. "We should be able to stamp them out, but we're not. We're not making any progress at all."
This edition of the list is based on new research, with data from more than 40 industry partners, covering more than 50,000 applications and a total of 2.3 million vulnerabilities.
"On average, across all the 50,000 applications that were part of this study, we saw 20.5 vulnerabilities per app," he said. "That's a stupendous number. Everyone should be outraged by that number. We need to do better, we can do better. These are well-known, well understood problems and they're not complicated to fix if you set your mind to it."
The research looked at what vulnerabilities were still common, and still critical to security, and adds items that reflect the move towards high-speed software development.
To make room for the new items that focus on protecting APIs and web applications, two items about access controls were combined, and undocumented redirects and forwards were dropped off the list because it wasn't all that dangerous.
"It's never been one of the most serious risks," he said. "At worst, it would redirect someone to a URL they didn't want to go to. But it's not hard to do that anyway. You don't need a special vulnerability to trick someone into clicking a link."
The two new items that were added were a bit controversial, because they aren't actually the same kind of vulnerabilities as the other items on the list.
Take insufficient attack protections for web applications.
"We're in 2017, and most applications will still let you attack them forever," he said. "They'll just say, 'We didn't understand your request, please try again.' It's not the hardest thing in the world to detect obvious attacks and block them. We need applications to defend themselves a little bit."
Similarly, APIs -- which allow applications to communicate directly with one another -- have become very common.
"But what we're seeing is that these APIs are a blind spot for many organizations," he said. "They're not getting the same amount of testing as traditional web applications get."
He admitted that many of the problems that APIs can have are actually mentioned elsewhere on the OWASP Top 10 list.
Slavik Markovich, CEO and co-founder at Demisto
"You could have SQL injections, for example, in an API," he said. "So now some items overlap each other."
That's OK, he said, because the OWASP Top 10 isn't designed to be a standard, but a tool to raise awareness.
"The list helps raise awareness but there are no actionable items here for CISOs," said Slavik Markovich, CEO and co-founder at Demisto. "This list, as well as the many great resources OWASP has, is mainly useful for developers to understand the common pitfalls and pay attention."
The list is a good starting point for cybersecurity, and is relied on by many in the industry, said Jeremiah Grossman, chief of security strategy at SentinelOne.
"If you lack any general plan, start with the OWASP Top 10, then, as you develop a plan, replace it with what's specific for your organization," he said.
But the new list wasn't free of controversy.
For example, some security professionals saw the addition of the item about protecting web applications to be a marketing give-away for vendors who provide web application firewalls or run-time application security protection.
"A lot of people don't like it when people leverage the OWASP Top 10 for commercial gain," he said, "Where you must buy something to be compliant."
Grossman also pointed out that the addition of API protections to the list was redundant, as did Chris Eng, vice president of research at Veracode.
"There’s really no need to create a new category for APIs," he said. "If there were a new and prevalent class of vulnerabilities unique to APIs then it would make sense to highlight. Otherwise, the repetition is only going to be confusing. The root cause of the vulnerabilities and the remediation steps are the same regardless of whether or not they are accessible through an API."
The same goes for protecting web applications, he said.
"Why does insufficient protection belong on the list, but not insufficient testing, insufficient code coverage, insufficient threat modeling, or insufficient developer education?" he said. "All of these activities occur during the application life-cycle and improve application security."
But overall, SentinelOne's Grossman said, it's a good list.
"Infosec people are trained to spot flaws in everything, no matter how minor, and argue about it," he said.