Security Products
Showing results for 
Search instead for 
Do you mean 

Changes in OWASP Top 10 reflect increasing complexity of security

markpainter ‎08-26-2013 11:51 AM - edited ‎09-28-2015 10:42 AM

One of the biggest complaints I hear from security guys, is that they don’t have an objectionable/non-subjective way to measure security.  It always causes a fight with developers who would rather argue about the methodology used to determine a risk rating than the actual risk itself.  Having said that, nobody understands the categorization and ranking of vulnerabilities better than the good folks at OWASP.  Let me put it this way—would you sleep better at night if you were PCI compliant or if you had taken care of the OWASP top 10? Exactly, I thought so.  So while lists are always open to debate, especially when risk is such a subjective notion to begin with, OWASP continues to put the class in classification. 


The graphic that OWASP just produced showing the changes in their top 10 over the past decade reminded me that it's getting harder--not easier--for organizations to secure their applications. Unfortunately, no matter how you slice it, risk is rising. There are a lot of reasons for that. For one, old technologies remain stubbornly vulnerable. Old vulnerabilities remain stubbornly prevalent.  And too often old ways of thinking (all we need is a device, right?) remain entrenched.  This simply compounds the new reality where zero day vulnerabilities are more likely to wind up in the hands of criminals or nation states rather than on a public disclosure list.   


As you would expect, a lot of the changes in the OWASP Top 10 over the years reflects what we see when we examine statistics for the HP Cyber Risk Report (which includes input from our various research groups as well as real world testing data from our Fortify on Demand professional penetration testers).  Attacks that are not primarily focused on applications like Buffer Overflows are not as big of a threat as they were 10 years ago.  Cross-Site Scripting remains as hard as ever to resolve.  Cross-site Request Forgery continues to grow as a threat.  And the layups of application security (information leakage and improper error handling) are no longer worthy of a top 10 status. One way of putting that is that it's been a long time since we've seen clear text passwords stored in the code of a page. And the security of third party components remains a dicey prospect, at best.   It makes me wonder what we’ll see on the 2023 OWASP Top 10. 






If you are interested in learning more about security risks, I encourage you to join us at HP Protect in Washington D.C.  Sept 16-19.  The event will be filled with nearly 150 security-focused sessions and plenty of opportunities to network with your peers.






About the Author


chandru4u on ‎09-11-2013 09:03 AM


Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
1-3 December 2015
Discover 2015 London
Discover 2015 in London, the ultimate showcase technology event for business and IT professionals to learn, connect, and grow.
Read more
November 2015
Software Online Expert Days
Join us online to talk directly with our Software experts.
Read more
View all