The OWASP Summit 2017 brought about some important changes in what the agency considers critical web application security risks. Consensus within the organization left many of the listings untouched. New initiatives on the list were set to be reviewed, specifically A7, Insufficient Attack Protection, and A10, Underprotected APIs.
The Top 10 list is meant to raise awareness of the most critical application security risks that are facing organizations today. The OWASP has yet to fully agree on what kind of risks should be listed and which should be prioritized; however, the list is still viable for laymen as a guide system to things that are affecting digital security across the board. Below are the most important items discussed in the 2017 meeting.
-2017-A4 Broken Access Control
This was one of the Top 10 items that was kept by consensus. This means that broken access control remains one of the most salient risks for companies to consider in 2017. Before the final list comes out in 2017, this item could be changed. The OWASP kept A4 because it was “too late to change the data collection” by the time of the meeting, according to the OWASP Outcomes report.
-2017-A7 Insufficient Attack Protection
The A7 item came under scrutiny first for its name. Insufficient Attack Protection is arguably too broad according to the committee. Name changes were proposed and agreed upon to change the section to “Insufficient Detection and Response” or “Insufficient Attack Preparation.”
OWASP also agreed to ensure that all services and products are aligned with OWASP and agreed to take away all commercial offerings. The committee defined A7 as an “app” problem that required the dual efforts of development and operations in order to properly manage. The committee also agreed to consider more text in the next report to align the A7 section with the current devops movement that many companies are using to synergize efforts.
-2017-A10 Underprotected APIs
The A10 classification, “Underprotected APIs,” was considered for deletion from the Top 10 list. The committee agreed that although APIs are more of a consideration, they currently do not warrant enough risk to make the Top 10 list. The committee could not completely agree on whether to take A10 off of the list for the same reason that A7 was still up in the air – data collection efforts were not finished by the time the meeting took place.
OWASP opened a data call on the issue immediately after the publication of the Outcomes report, extending until August 25. The goal of these calls is to get enough data for calls to be repeated in subsequent years, avoiding the problem that occurred here (too little data analysis by the time of the meeting).
The RC1 document was also completely rejected by OWASP. OWASP considered releasing an RC2 in the same month of the Outcomes report release along with an RC3 report to come later in the year.