Security Research
Showing results for 
Search instead for 
Do you mean 

OWASP Top Ten 2013

SamN on ‎04-29-2013 09:21 PM

OWASP Top Ten is released every 3 years - this is the fourth release since 2004 launch. For researchers like myself responsible for building security analysis solutions, every release triggers an update to our vulnerability mappings to address the revisions.  It is, however, a small price to pay to keep things relevant and actionable in this evolving security landscape.

 

There are a few changes in this release candidate, which you can read the details here, but the only new category in this release is “2013-A9: Using Known Vulnerable Components.” And because of this, I think a new solution called “Application Patch Management” will be available in the future. Consider what we’ve been doing and doing pretty well in the past 10 years or so; we now have a well-defined and automatic way of patching servers and desktops. This is not just about end-users; contributions from major software vendors are also part of the solution.

 

Back to the application layer, the problems we are facing right now are very similar to what we were enduring 10 years ago: there is no quick and easy way to know if any of the 100+ libraries used in the application are vulnerable or not, and even if you know, developers may not be willing to upgrade the libraries because they worry the upgrade will break their applications. This is understandable because most framework vendors don’t provide a “fix-only” update - you may need to “upgrade” if you merely want the vulnerability fixed.

 

After all, I believe this is a good start as almost all real-world applications use 3rd party frameworks, and if these frameworks are vulnerable, your application is vulnerable too.  This threat is not fictitious; a recent study said 26% of libraries have known vulnerabilities so this should really be an item on your TODO list.

 

And finally, for those who want to see all changes of the OWASP Top Ten list from 2004 to 2013 in one single picture, here it is:

 

 

0 Kudos
About the Author

SamN

Labels
Events
Aug 29 - Sep 1
Boston, MA
HPE Big Data Conference 2016
Attend HPE’s Big Data Conference on August 29 - September 1, 2016 to learn from peers in every industry and hear from Big Data experts and thought lea...
Read more
Sep 13-16
National Harbor, MD
HPE Protect 2016
Protect 2016 is our annual conference on September 13 - 16, 2016, and is the place to meet the world’s top information security talent, discuss new pr...
Read more
View all