Connect with us

Hi, what are you looking for?


Application Security

Final Version of 2017 OWASP Top 10 Released

The final version of the 2017 OWASP Top 10 was released on Monday and some types of vulnerabilities that don’t longer represent a serious risk have been replaced with issues that are more likely to pose a significant threat.

The final version of the 2017 OWASP Top 10 was released on Monday and some types of vulnerabilities that don’t longer represent a serious risk have been replaced with issues that are more likely to pose a significant threat.

The Open Web Application Security Project (OWASP) announced the first release candidate for the 2017 OWASP Top 10 back in April, and there has been a lot of debate about what should and what should not be included.

One significant change compared to the 2013 OWASP Top 10 is the fact that the types of flaws that made it into the 2017 list have been selected based on the risk they pose.

The OWASP Top 10 vulnerabilities are injection, broken authentication, sensitive data exposure, XML external entity (XXE), broken access control, security misconfiguration, cross-site scripting (XSS), insecure deserialization, using components with known vulnerabilities, and insufficient logging and monitoring.

OWASP top 10 2017

While XSS can be classified as a type of injection, the decision has been made to leave it in a separate category as these types of bugs are addressed differently compared to SQL and OS command injections.

Cross-site request forgery (CSRF) has been removed from the OWASP Top 10 as modern development frameworks ensure that such vulnerabilities are avoided, which has led to CSRF being found in less than 5% of applications. Unvalidated redirects and forwards have also been removed as they affect only around 8% of apps.

Insecure direct object references (IDOR) and missing function level access control have been merged into broken access control.

Advertisement. Scroll to continue reading.

The free spots were filled by XXE, insecure deserialization, and insufficient logging and monitoring. Critical deserialization flaws have been found in several high profile apps in the past few years so it’s not surprising that it made the list. As for logging and monitoring, OWASP pointed out that many organizations have serious problems in this department, as clearly demonstrated by the significant number of breaches discovered by third-parties instead of the targeted organization itself.

OWASP also noted that while the names of some categories have not changed, the types of issues they cover has changed. For instance, sensitive data exposure refers to privacy and personal information exposure, not leaky headers and stack traces, and misconfigurations now also include cloud-related issues such as unprotected storage containers (e.g. AWS S3 buckets).

The 2017 OWASP Top 10 is based on data from 23 contributors covering more than 114,000 applications. The data has been made available on GitHub, a move that is part of OWASP’s efforts to be more transparent.

After a break, OWASP will start working on the next Top 10, which has been scheduled for 2020.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...