Tencent Cloud ten minutes to customize your first small program >>>
The Open Web Application Security Project (OWASP) publishes the “TOP10 Web development Security issues” every 3-4 years to raise awareness of Application Security by identifying the most serious risks facing enterprise organizations. OWASP Top 10 is cited by numerous standards, books, tools, and related organizations, including MITRE, PCI DSS, DISA, FTC, and more. OWASP Top 10 was originally released in 2003, with minor updates in 2004 and 2007. The 2010 version also ranks risk based on prevalence. This pattern continues in the 2013 version and most recently in 2017.
It’s been four years since the last version of OWASP TOP10 was released in 2013, and the new OWASP TOP10 will be released this year. TOP10 2017 started compiling and releasing version RC1 in the middle of this year, but reopened the contest after two of its content were voted down by the community, and released version RC2 in October. The final opinions are being collected. If there are no accidents, the official version will be released on November 18th.
As can be seen from the graph, the problems in 2017 and 2013 have not changed much. If you go back to the 2007 list, there are still four of the same questions. Does it seem that Web developers are making the same mistakes over and over again? The emergence of new tools and new development models has not completely changed this situation. Some even speculated and commented that the same mistakes were not made by the same developers, but because Web development is the lowest level of software development in the IT industry, and the practitioners generally lack competence and knowledge, and security is their last concern.
OWASP TOP10 2017 RC2
-
A1 – Injection defect
-
A2 – Invalid authentication and session management
-
A3 – Sensitive data breach
-
A4-xml External Entity Injection (XXE)
-
A5 – Invalid access control (combined 2013 A4 ‘Unsafe Direct Object Reference’ and A7 ‘Functional level Access control functionality missing’)
-
A6 – Security configuration error
-
A7 – Cross-site Scripting (XSS)
-
A8 – Unsafe deserialization
-
A9 – Use components with known vulnerabilities
-
A10 – Inadequate recording and monitoring