owasp_logoOWASP – The Open Web Application Security Project - released its official OWASP Top 10 list for 2013 on Wednesday – the first major update to the oft-cited list of common web application vulnerabilities in three years. But with the new list come questions. Chief among them: has OWASP made a dent in the application security problem with its Top 10 list. And, if not, should we start thinking of new ways to wipe out the most common and troublesome web application vulnerabilities? First the list. As you know, The OWASP Top 10 is a widely referenced guide to the most common categories of application security problems. It’s not a list of specific vulnerabilities but, rather, classes of problems like cross-site scripting or SQL injection. Prominent organizations around the world rely on it. Notably: Microsoft, which uses OWASP as an integral component of that company’s secure development lifecycle (SDLC), as well as the Payment Card Industry (PCI) Council, which wove the OWASP Top 10 into its PCI Data Security Standard (PCI DSS) for organizations that accept credit card payments online. The latest Top 10 list is the first revision since OWASP published its 2010 Top 10. The changes to the list are mostly modest, with some classes of vulnerabilities like Broken Authentication and Session moving up the list, others (Cross Site Request Forgery) moving down. The biggest change was the addition of the new #9 “using known vulnerable components” to the list. That had formerly been considered an element of “Security Misconfiguration” (now #5 on the list). As we have noted on this blog many times, third party and re-used code is a major stumbling block on the road to more secure applications. Calling third party components out on the OWASP Top 10 certainly succeeds in elevating the issue at organizations that look to the OWASP Top 10 to shape their application development and application security programs.

A Most Wanted List Where Nobody Gets Caught

But that begs the question of whether it really matters what’s on the list or not --whether the OWASP Top 10 is even doing the job it was intended to? Suffice it to say, if the list was intended to be an appsec “most wanted,” all of the bad guys are still at large, but a couple have had their photos updated since 2010. And that’s not much to hang your hat on. “We need to put one in the ‘Win’ column,” says Josh Corman, the Director of Security Intelligence at Akamai Inc. Corman has argued publicly that the security community doesn’t have much to show for all the ink spilled about the OWASP Top 10. The number one issue, injection attacks, were a crushing problem in 2010 and they’re a crushing problem in 2013, responsible for a large number of critical web site breaches and data theft incidents every year.

The OWASP Top 1?

Maybe, Corman argues, we should focus our energies on just solving that problem – the OWASP Top 1, if you will, and forget about the other nine. His thinking is that part of the point of having a most wanted list like the Top 10 is to inspire concentrated action on discrete problems, and also to wanted-sqligive your soldiers a clear sense of victory – stamping a big “captured” or “killed” over each bad guy’s picture. A Top 10 that never changes is a cause for dismay, not a rallying point. Going hard after one, critical application security problem and really working to eradicate it could give the whole application development community a sense of purpose and accomplishment, Corman said. It will also teach the development community what steps and processes are necessary to truly eradicate common application security problems. It’s akin to the way in which epidemiologists might focus intensely on one disease – like Polio or Small Pox. Having a vaccine is just part of the solution. Doctors and public health activists also need to develop the systems to distribute that vaccine globally, and under challenging environmental and cultural conditions if they really want to achieve success. "As it stands, our attention is spread across ten application security issues, some of them nebulous," Corman says. “We need to be ambassadors,” Corman said in an interview. “Going narrow will allow us to focus less on the technical aspects of these problems and more on the cultural issues." Despite his critique, Corman is careful to avoid being critical about the Top 10 – which is a matter of religion for some within the application security community. “This isn’t about criticizing the Top 10,” he said. “It’s about saying ‘Hey, we’ve been doing this for a while now. Let’s try something different!’”

About Paul Roberts

Paul Roberts is an experienced technology writer and editor that has spent the last decade covering hacking, cyber threats, and information technology security, including senior positions as a writer, editor and industry analyst. His work has appeared on NPR’s Marketplace Tech Report, The Boston Globe, Salon.com, Fortune Small Business, as well as ZDNet, Computerworld, InfoWorld, eWeek, CIO , CSO and ITWorld.com. He was, yes, a guest on The Oprah Show — but that’s a long story. You can follow Paul on Twitter here or visit his website The Security Ledger.

Comments (8)

Mark Miller | June 14, 2013 10:26 am

Paul - The situation described here is not an indictment against the Top 10 as much as it is against the software security industry in general. Until we start finding ways to remediate problems instead of just pointing them out ("Scan and Scold"), there will be a constant struggle between what should be done and what is being done. -- Mark

Ryan Berg | June 14, 2013 12:16 pm

I have been saying for awhile that we don't have a problem finding problem. We have gotten really good at finding problems, and in some ways the top ten is a reflection of our increased ability to find the same problems. We haven't done a good job at fixing the problems. To do this, the dynamics between security and development are going to need to change to swing the pendulum from finding to fixing.

Zen DDoS Protection and Mitigation | June 17, 2013 11:45 am

The list has 10 breaches that cannot be fixed easily. They are all problems and that list reminds everyone to keep trying to figure out how to fix them. While I agree, the brainstorm has been going on for too long, I don't think removing 9 of them will help at all.

owasper | June 18, 2013 9:32 am

Mankind eradicated small pox. Are you suggesting the tech community cant eradicate injection flaws? Do you think the variables at play are exponentially convoluted?

Paul | June 18, 2013 9:56 am

There are many practical problems with just focusing on a single problem and trying to eradicate it. You can imagine a lot of short term pain. I think the idea is that we need to take more of a high stakes, epidemiological approach that has as its goal "victory" over one class of common and serious problem, rather than the current, low-urgency "remember to eat your peas" type approach that hasn't (yet) yielded much.

Joe | June 19, 2013 1:36 pm

Isn't the point of OWASP and its Top 10 to educate the development community on secure coding principles? A developer who only focuses on removing Injection Attacks will likely leave holes open in his/her code for XSS, CSRF, or other of the Top 10. If anything, I'd like to see it open up further into the Top 20! The fix to insecure development practice is to make the developers better, more educated, and aware of what they can do to protect themselves and the code they write.

Mark Miller | June 19, 2013 2:10 pm

The dilemma in this conversation is that OWASP is mainly a security community, not a developer community. It is the CISO who is going to create and enforce governance based upon the Top 10, not the development team.

The fix for some of these issues has been known for years. It comes down to a business decision: manage the risk vs get the product out the door. Most businesses are choosing to live with the risk.

Derek M. | June 24, 2013 6:57 am

The OWASP Top 10 has never been ten, is it more like 4. I remember having the conversation once with a founder of OWASP on how even they though 10 was too many, but top 4 really isn't media sexy so they padded it out to 10..

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.