OWSAP presented Release Candidate for Top 10 2017 which add’s two new vulnerabilities categories.
- Insufficient Attack Detection and Prevention.
- Underprotected APIs.
Changes with 2017
- They have combined (A4)Insecure Direct Object References and (A7) Missing Function Level Access Control into 2017(A4) Broken Access Control.
- 2013-A10: Unvalidated Redirects and Forwards was the dropped as it’s prevalence in a very small ratio.
- A(7) Insufficient attack protection added with 2017.
- Underprotected APIs was added with 2017 considering growth of Modern applications.
OWASP Top 10 concentrates on recognizing the most genuine dangers for a wide cluster of attacks.
The OWASP Top 10 for 2017 is construct basically with respect to 11 huge datasets from firms that have specialize in application security, including 8consulting companies and 3 product vendors.
This information traverses vulnerabilities accumulated from several associations and over 50,000 genuine applications and APIs.
The Top 10 things are chosen and organized by this prevalence data, in mix to the appraisals of exploitability, detectability, and impact.
Explanation by OWSAP for New categories.
A-7 Insufficient attack Protection
The majority of applications and APIs lack the basic ability to detect, prevent, and respond to both manual and automated attacks.
Attack protection goes far beyond basic input validation and involves automatically detecting, logging, responding, and even blocking exploit attempts.
Application owners also need to be able to deploy patches quickly to protect against attacks.
A-10 Underprotected API
These APIs are often unprotected and contain many vulnerabilities.
- A1 – SQL injection
- A2 – Broken Authentication and Session Management
- A4 – Insecure Direct Object References
- A5 – Security Misconfiguration
- A6 – Sensitive Data Exposure
- A7 – Missing Function Level Access Control’
- A8 – Cross-Site Request Forgery (CSRF)
- A9 – Using Components with known Vulnerabilities
- A10 – Unvalidated Redirects and Forwards