Posted on

Latest Top 10 OWASP

Takeaways for Application Security and the Validity of OWASP Top 10

It goes without saying that the small size and specific nature of this sample makes it difficult to generalize the results, even to the limited group of large data breaches, much less so to all web applications or enterprise systems. However, this anecdotal data exposes numerous cases in which OWASP Top 10 vulnerabilities played a major role in security disasters.

On the one hand, this confirms that these 10 vulnerabilities are meaningful in describing actual threats faced by organizations today. On the other hand, we saw real-life data breaches clearly do not obey OWASP 1-to-10 ranking of security problem severity.

A primary discovery of this research is that A9-Using Vulnerable Components is an extremely prevalent and dangerous problem that deserves more attention in the OWASP framework. If 12 of the world’s 50 most devastating breaches were caused by A9, more than any other OWASP vulnerability, it cannot continue to be ranked 9/10 by severity. A9 is also the vulnerability most likely to be the root cause of a major data breach.

At Snyk, our mission is protecting organizations from known vulnerabilities in their open source components. Based on our day to day experience, we had a feeling that this problem was much more severe than it would appear from the OWASP Top 10 and many other industry writings. We were surprised to see the data suggested so strongly that this might, in fact, be the #1 problem threatening online security today.

Similarly, A5-Security Misconfiguration cannot continue to be ranked 5/10 when it is the second biggest cause of mega-scale security disasters.

As you can see in the image below, the current release candidate for OWASP 2017 contains a few updates, but none of them relate to A9 and A5 vulnerabilities, which remain with the same rank and definition since 2013.


Some addition takeaways:

Additional threats which are not listed in the OWASP Top 10 were responsible for 15 of the top 50 data breaches (30%, much higher than any individual OWASP vulnerability). For example, 4 of the top 50 breaches were caused by malware or phishing (this is what opened the door for attackers and enabled the breach)—as many as OWASP’s top vulnerability, A1-Injection. 3 of 50 breaches were caused by exploits of the RDP protocol, as many as OWASP’s #2 vulnerability, A2-Broken Authentication. Both of these issues, malware and protocol exploits, and possibly others, should be considered for OWASP’s 2017 list.

Missing vulnerabilities—more data is needed about the real prevalence of OWASP A3, A4, A8 and A10 in cyber attacks. Our study showed only 2 occurrences of A4, 1 occurrence of A10 and none for A3 and A10 in the top 50 breaches. As we discussed, because our study focuses on widely publicized data breaches, it is a biased sample. A broader database of cyber attacks might shed more light on these “missing” vulnerabilities.
More research is needed to firmly conclude which threats are exploited by hackers in real world attacks. The bottom line of this exploratory study is that this data is essential for understanding the modern attack surface and prioritizing your defenses. We propose that OWASP considers changing its stance on “likelihood of threat agent”, and start treating it as an essential component for evaluating critical security issues.

Disaster Rank 1: A9-Using Components with Known Vulnerabilities, is the dubious “winner” causing 12 of the top 50 breaches (24%). Notable incidents caused by A9:

The Mossack Fonesca (Panama Papers) breach, which was caused by a vulnerability in an old, unpatched version of Drupal.
The VericalScope/ breach in which 45 million passwords and IP addresses were stolen from a network of over 1,100 websites and forums. The cause was said to be a known vulnerability in an old version of the vBulletin forum software.
The Ubuntu forums breach in which 2 million usernames, IP addresses and passwords were compromised from the official Ubuntu forums. The cause was a “known SQL injection vulnerability in the Forumrunner add-on which had not been patched”.
The usual suspect: Amazingly, of the 12 huge breaches caused by A9, a whopping 9 organizations were breached due to vulnerabilities in forum software, and 6 of those were using an old version of the vBulletin software.

You can also read from-

Also read-

1 Comment

Leave a Reply

Your email address will not be published. Required fields are marked *