The OWASP Top 10 list of the most critical web application security risks has finally been updated for the first time since 2013. This list, created by the Open Web Application Security Project (an open community dedicated to enabling organizations to create secure applications) often forms the basis of application security programs and frequently informs AppSec priorities.
The release candidate was published on April 10, 2017, and OWASP plans to release the final version in July or August after a public comment period ending June 30th.
The only major updates to the list are the addition of API security, and a recommendation to focus on runtime protection. Most agree that it’s significant that the top 10 list has not changed substantially since its inception. We clearly have a long way to go in terms of secure coding best practices.
However, although the update is relatively minor, controversy is swirling around it. In fact, many are raising questions about whether this list remains true to its stated intent. In episode 6 of Veracode’s AppSec in Review podcast series, Evan Schuman talks to Veracode’s VP of Research Chris Eng about this update and the controversy surrounding it.