In the spirit of improving Web application security worldwide the folks at OWASP have released the OWASP Top 10 2010 “release candidate”. It’s currently open for comments and scheduled for final release the first quarter of next year. The biggest change you’ll see in this latest incarnation of the Top 10 is they’re now taking a risk-based approach to the highlight the business issues at hand. Perfect. Just what we’ve needed. Or is it?
The one thing that really jumped out to me is how the OWASP team has incorporated the attack path graphics and example attack scenarios for each of the Top 10 items. They show how application threats exploit application vulnerabilities which create business risks. There are many people in our field who still haven’t wrapped their heads around this basic concept. But it’s the basis of everything we’re doing – and why we exist – and therefore critical for us to know. If we’re ever going to be get management on board with application security we have to talk in terms of business payoffs and what’s in it for them. Using graphics to break down how the bad things happen is a great way to paint the picture and educate others.
I still think there’s a disconnect. On one hand the new OWASP Top 10 presents higher-level risk concepts but on the other it delves directly into technical details with little explanation of what things mean. This will turn some people (especially managers) off. Maybe I should submit a comment. Don’t get me wrong – I still think this is a great start and will help move application security along to where it needs to be. It’s just not ideal in its current state.
You’ll notice a couple of the items have been dropped from the new Top 10 list (Malicious File Execution and Information Leakage and Improper Error Handling), several have been renamed for clarification, and there’s also a new one: Unvalidated Redirects and Forwards. Those are the big changes thus far.
Even with the updates, how does the OWASP Top ten compare to the real-world? Are the 10 items pervasive across the Web? Hardly not. Do you need to check for every single item? It wouldn’t hurt. There are so many variables and every situation is different. I’ll cover this more in-depth in a future post. I can say that of the 10 items there are only three biggies that come up in every Web security assessment I do: 1) Cross Site Scripting, 2) Broken Authentication and Session Management, and 3) Security Misconfiguration. All the others are either non-existent or don’t matter all that much in the grand scheme of things. Furthermore, there’s one big thing missing from the OWASP Top 10 altogether: application logic flaws. It’s hard to quantify but broken application logic is arguably the biggest security hole in any given application.
It’s funny how everyone has been saying that we need to take a risk-based approach to information security yet we haven’t been following our own advice. Now that we’ve experienced the “compliance ≠ security” fallout, it’s time to get down to business, literally. It’s not going to be easy though. I truly believe that until the OWASP Top 10 project becomes more widely-recognized among developers and testers the vendors, consultants, and IT pros will continue preaching to the choir ranting to each other about the insecurities of the Web. Not much value in that but at least we’re heading in the right direction.