Security Research
Showing results for 
Search instead for 
Do you mean 

OWASP Top Ten 2013

SamN on ‎04-29-2013 09:21 PM

OWASP Top Ten is released every 3 years - this is the fourth release since 2004 launch. For researchers like myself responsible for building security analysis solutions, every release triggers an update to our vulnerability mappings to address the revisions.  It is, however, a small price to pay to keep things relevant and actionable in this evolving security landscape.


There are a few changes in this release candidate, which you can read the details here, but the only new category in this release is “2013-A9: Using Known Vulnerable Components.” And because of this, I think a new solution called “Application Patch Management” will be available in the future. Consider what we’ve been doing and doing pretty well in the past 10 years or so; we now have a well-defined and automatic way of patching servers and desktops. This is not just about end-users; contributions from major software vendors are also part of the solution.


Back to the application layer, the problems we are facing right now are very similar to what we were enduring 10 years ago: there is no quick and easy way to know if any of the 100+ libraries used in the application are vulnerable or not, and even if you know, developers may not be willing to upgrade the libraries because they worry the upgrade will break their applications. This is understandable because most framework vendors don’t provide a “fix-only” update - you may need to “upgrade” if you merely want the vulnerability fixed.


After all, I believe this is a good start as almost all real-world applications use 3rd party frameworks, and if these frameworks are vulnerable, your application is vulnerable too.  This threat is not fictitious; a recent study said 26% of libraries have known vulnerabilities so this should really be an item on your TODO list.


And finally, for those who want to see all changes of the OWASP Top Ten list from 2004 to 2013 in one single picture, here it is:



0 Kudos
About the Author


27 Feb - 2 March 2017
Barcelona | Fira Gran Via
Mobile World Congress 2017
Hewlett Packard Enterprise at Mobile World Congress 2017, Barcelona | Fira Gran Via Location: Hall 3, Booth 3E11
Read more
Each Month in 2017
Software Expert Days - 2017
Join us online to talk directly with our Software experts during online Expert Days. Find information here about past, current, and upcoming Expert Da...
Read more
View all