OWASP Adds New Vulnerabilities to Top 10 List; Update iPhones to iOS 14.8 to Stop Active Attacks; University of Minnesota and Medical Device Industry Will Work to Improve Device Security

Two of the three new top 10 vulnerabilities are kind of broad for the OWASP list but really important to prioritize: A04:2021-Insecure Design and A08:2021-Software and Data Integrity Failures, which incorporated the previous A108-2017 Insecure Deserialization. Both of these demand increased testing of commercially and internally developed software as well as software updates, but the larger goal is driving improvements early in the software design phase.

John Pescatore

The nice thing about "Top x" lists is that they force you to focus on what actually matters. There are hundreds/thousands of potential things that can and will go wrong, but OWASP is doing a good job in narrowing it down to the issues that matter most. “Insecure Design” is an interesting addition, and in line with the current trend to “shift left.” Not a new concept by any means, but it looks like the renewed focus and better/catchier expression of the concept has finally caught on. OWASP hasn't actually removed any issues from its top ten list, but managed to re-group some issues to better cover specific problems like XML External Entities by including the root cause of these vulnerabilities (misconfiguration in the case of XXE).

Johannes Ullrich

Following OWASP recommendations has been an efficient way to address web application security.

William Hugh Murray

So far, this vulnerability appears to have been exclusively exploited by the NSO Group's "Pegasus" tool. We often see exploits like the one used by Pegasus trickle down over time to become commodity exploits. With more details available now, the race is on between you, the user, and the attacker to see who is first: patching or exploit development. Don't let them outrun you. You have a bit of time here, but not much. Apple is likely going to release a major update for its operating systems in a month (or less). The patch will likely be included in that update as well.

Johannes Ullrich

Kudos for Boston Scientific, Smiths Medical, Optum, Medtronic, and Abbott Laboratories for providing funding to get this started but I have to quibble with the term “emerging device security field.” The vast majority of the vulnerabilities medical device manufacturers have been building into their devices are well known bad design/implementation choices that have been on the OWASP Top 10 for many years. I’d like to see the mission of this center focus more on improving the practices of device manufacturers rather than on tactics for protecting poorly designed, vulnerable devices from attacks.

John Pescatore

It's quite rare that pentesters have scope to attack medical devices, so it's great to see an organization like this sponsoring their hackathon. Yes, this often comes down to “stunt hacking,” but if that raises awareness for the leaders who own the risk in these devices, hack away, friends!

Christopher Elgee

Back in 2013, SANS gave the FTC a SANS Difference Makers award and here is what we said: “It seems like regardless of who is president or what the state of the economy is, the FTC stays focused on its mission of consumer protection and, in particular, going after companies that don't protect their customers' information. The FTC doesn't seem to need new laws or more money, it just keeps fighting for its customers.” I have confidence they will continue doing so regardless of the outcome of the draft legislation.

John Pescatore

The FTC has been effective in punishing some of those that fail to meet their security commitments. It might be an efficient place to invest.

William Hugh Murray

Interesting vulnerability somewhat reminiscent of vulnerabilities in early e-commerce sites that allowed users to overwrite prices in hidden form fields.

Johannes Ullrich

Two already exploited flaws are patched with this update. Luckily, Google Chrome has a pretty good auto-update system. But you may need to restart the browser. (Good idea to take a break from death-scrolling social media feeds in your browser from time to time anyway.)

Johannes Ullrich