OWASP App Security Weaknesses Draft Top 10 List
The Open Web Application Security Project (OWASP) has released a draft of its top 10 web software vulnerabilities. The first three items on the list are broken access controls, cryptographic failure, and injection. The list is a draft; OWASP is seeking input from data scientists, web designers, translators, and ASVS, testing guide, and code review guide leadership before releasing the final version.
Two of the three new top 10 vulnerabilities are kind of broad for the OWASP list but really important to prioritize: A04:2021-Insecure Design and A08:2021-Software and Data Integrity Failures, which incorporated the previous A108-2017 Insecure Deserialization. Both of these demand increased testing of commercially and internally developed software as well as software updates, but the larger goal is driving improvements early in the software design phase.
The nice thing about "Top x" lists is that they force you to focus on what actually matters. There are hundreds/thousands of potential things that can and will go wrong, but OWASP is doing a good job in narrowing it down to the issues that matter most. “Insecure Design” is an interesting addition, and in line with the current trend to “shift left.” Not a new concept by any means, but it looks like the renewed focus and better/catchier expression of the concept has finally caught on. OWASP hasn't actually removed any issues from its top ten list, but managed to re-group some issues to better cover specific problems like XML External Entities by including the root cause of these vulnerabilities (misconfiguration in the case of XXE).
Following OWASP recommendations has been an efficient way to address web application security.