Recently, the OWASP Foundation updated their list of the top 10 most common web application vulnerabilities, aka the OWASP Top Ten. The new list is an update from the previous version, published in 2017, and was driven by the dramatic pace of change in web application development and the behaviors of bad actors.
Here’s the full list of changes:
There is not much in the way of good news. While several issues have been consolidated, like Cross-Site Scripting and Insecure Deserialization, none have dropped off the top ten list entirely. That means that the risks from 2017 are still risks today.
But, in addition, there are several new risks and several risks that are placed much higher than previously. Broadly speaking, that is because the risks of APIs have never been adequately managed, even while their popularity continues to explode.
In fact, due to the rise of microservices, new digital businesses, and cloud deployments, APIs are now 83% of all internet traffic.
We have clearly passed the tipping point where APIs are critical operational elements in a technology stack. Which means they are a more attractive target than ever for bad actors.
In short, as more and more companies live by the API, they also run the risk of dying by the API.
To make things even more challenging, legacy security applications do a poor job managing these new vulnerabilities. It’s no longer enough to track the volume of API calls to identify a DDOS attack based on scale alone. Today’s attackers can probe slowly, and under the radar of brute force monitoring.
The best solution would be for development teams who deeply understand their own application logic to instill security best practices consistently and perfectly. The “shift left” movement is improving tooling and education, but the reality is that business results can’t wait for millions of developers to collectively raise the bar for building secure applications.
That’s why it’s necessary to continue to shield applications in the wild with a coherent security monitoring strategy. As attacks get more sophisticated, our responses must also become more sophisticated. For most security teams, that means getting deeper into the API logic and capabilities, testing and probing to find vulnerabilities before bad actors do.
We will expand on several of the OWASP top ten vulnerabilities over a series of blog posts, identifying both why these issues are more prevalent than ever, and also what to do about them. Stay tuned for more.
Top comments (0)