The top 10 list is one of the major milestones of how application security has evolved over the past couple of decades
Last week was the 20th anniversary of the Open Web Application Security Project (OWASP), and in honor of that date, the organization issued its long-awaited update to its top 10 exploits. It has been in draft form for months and has been updated several times since 2003, and before its latest iteration, in 2017.
In the past two decades, OWASP has become a sprawling series of projects, tutorials, knowledge bases, and other tools that are incredibly useful for application developers, corporate security managers, and penetration testers. If you haven’t spent much time browsing its content, I’d encourage doing so, as it’s very worthwhile and a tremendous learning resource. It incorporates the work of hundreds of volunteers, spanning hundreds of local chapters who give their time and energy to help improve the quality of applications and stop potential cyberthreats. It now has more than 200 different projects that cover topics such as mobile security, various testing tools such as WebGoat, and honeypots.
Image credit: Hugo Costa
The top 10 list is one of the major milestones of how application security – and particularly, the security of web-based applications – has evolved over the past couple of decades. Exploits have gotten more complex, attackers have gotten more skilled at finding ways to leverage their way into our networks, and malware kits have become common so that anyone with a web browser can pretty much launch anything at anyone at any time. Sadly, against that landscape, “not much has changed in terms of the actual exploits over the years,” said Jeff Williams, one of the originators of OWASP’s list back in 2003. Many of the items on those early lists are still on that of 2021, just packaged somewhat differently.
Here is a graphic comparing OWASP’s 2017 and 2021 lists:
Image credit: OWASP
Threat data was collected from more than 500,000 applications and telemetry from several security vendor organizations and anonymous contributors. This made the top 10 collection cover a wider landscape, going from approximately 30 Common Weakness Enumeration (CWEs, or categories of vulnerabilities) in 2017 to almost 200 CWEs analyzed in this latest dataset.
The project team realized that they couldn’t use such a pared-down list of exploits because “it wasn’t helpful for awareness, training or baselines,” as they wrote on their website describing the new selection process. “We wanted to build risk categories of groups of related CWEs, focusing more on root causes and symptoms,” they wrote. If you examine the new top 10 list, you will see that each entry (except one, and I’ll get to that one in a moment) covers multiple vulnerabilities.
This year’s top list of vulnerabilities, in order from most to least important, are as follows:
OWASP members have three recommendations on how to improve the overall security of your applications:
The promise of a free movie download led thousands of people into unintended malware.
Avast recently discovered a series of malicious browser extensions on the Chrome Web Store that are spreading adware and hijacked search results.