OWASP – The Open Web Application Security Project - released its official OWASP Top 10 list for 2013 on Wednesday – the first major update to the oft-cited list of common web application vulnerabilities in three years. But with the new list come questions. Chief among them: has OWASP made a dent in the application security problem with its Top 10 list. And, if not, should we start thinking of new ways to wipe out the most common and troublesome web application vulnerabilities? First the list. As you know, The OWASP Top 10 is a widely referenced guide to the most common categories of application security problems. It’s not a list of specific vulnerabilities but, rather, classes of problems like cross-site scripting or SQL injection. Prominent organizations around the world rely on it. Notably: Microsoft, which uses OWASP as an integral component of that company’s secure development lifecycle (SDLC), as well as the Payment Card Industry (PCI) Council, which wove the OWASP Top 10 into its PCI Data Security Standard (PCI DSS) for organizations that accept credit card payments online. The latest Top 10 list is the first revision since OWASP published its 2010 Top 10. The changes to the list are mostly modest, with some classes of vulnerabilities like Broken Authentication and Session moving up the list, others (Cross Site Request Forgery) moving down. The biggest change was the addition of the new #9 “using known vulnerable components” to the list. That had formerly been considered an element of “Security Misconfiguration” (now #5 on the list). As we have noted on this blog many times, third party and re-used code is a major stumbling block on the road to more secure applications. Calling third party components out on the OWASP Top 10 certainly succeeds in elevating the issue at organizations that look to the OWASP Top 10 to shape their application development and application security programs.
But that begs the question of whether it really matters what’s on the list or not --whether the OWASP Top 10 is even doing the job it was intended to? Suffice it to say, if the list was intended to be an appsec “most wanted,” all of the bad guys are still at large, but a couple have had their photos updated since 2010. And that’s not much to hang your hat on. “We need to put one in the ‘Win’ column,” says Josh Corman, the Director of Security Intelligence at Akamai Inc. Corman has argued publicly that the security community doesn’t have much to show for all the ink spilled about the OWASP Top 10. The number one issue, injection attacks, were a crushing problem in 2010 and they’re a crushing problem in 2013, responsible for a large number of critical web site breaches and data theft incidents every year.
Maybe, Corman argues, we should focus our energies on just solving that problem – the OWASP Top 1, if you will, and forget about the other nine. His thinking is that part of the point of having a most wanted list like the Top 10 is to inspire concentrated action on discrete problems, and also to give your soldiers a clear sense of victory – stamping a big “captured” or “killed” over each bad guy’s picture. A Top 10 that never changes is a cause for dismay, not a rallying point. Going hard after one, critical application security problem and really working to eradicate it could give the whole application development community a sense of purpose and accomplishment, Corman said. It will also teach the development community what steps and processes are necessary to truly eradicate common application security problems. It’s akin to the way in which epidemiologists might focus intensely on one disease – like Polio or Small Pox. Having a vaccine is just part of the solution. Doctors and public health activists also need to develop the systems to distribute that vaccine globally, and under challenging environmental and cultural conditions if they really want to achieve success. "As it stands, our attention is spread across ten application security issues, some of them nebulous," Corman says. “We need to be ambassadors,” Corman said in an interview. “Going narrow will allow us to focus less on the technical aspects of these problems and more on the cultural issues." Despite his critique, Corman is careful to avoid being critical about the Top 10 – which is a matter of religion for some within the application security community. “This isn’t about criticizing the Top 10,” he said. “It’s about saying ‘Hey, we’ve been doing this for a while now. Let’s try something different!’”