The Real OWASP Top 10

The OWASP Top 10 is list of the top ten most critical web application security risks published by the OWASP. Since its first release in 2004, got a lot of attention and was referenced by several security standards such as the PCI DSS, the credit card industry security standard. The Top 10 are published in a three year cycle that ended in 2016 due to internal disputes in the organistaion.

Other standards such as the PCI DSS didn’t follow the OWASP Top 10 release cycle of the OWASP but forked of their own list of security risks in web applications. As a result, the current struggles to come up with a new release of the Top 10 doesn’t have the impact on the security community as many of the project members believe. However, the Top 10 were always a good starting point for people to get into web application security.

Unfortunately, some of the risk expressed in the recent release candidate are unspecific, redundant and lack precision. “Insufficient Attack Protection” for example includes protecting against every web application vulnerability expressed in all the other Top 10 topics as well the ones that haven’t made it into the Top 10. The same is true for “Unprotected APIs” as Web APIs can have the same vulnerabilities as the rest of the web application and “Sensitive Data Exposure” which can mean anything.

One the plus side, the OWASP is very transparent and the data on which the current release candidate is based is hosted on github. After applying some grouping, I got the following result:

OWASP Top 23

Now compare this to the official OWASP Top 10 2017 Release candidate:

OWASP Top 10 2017

It is interesting to see that neither “Insufficient Attack Protection” nor “Unprotected APIs” seems to be based on real observation whereas  Path Traversal with a frequency of almost 15% (top 3 excluded) hasn’t made it into the OWASP Top 10. Furthermore, Mass Assignment vulnerabilities which are as dangerous as SQL Injection and far more frequent than CSRF have been dropped, yet OWASP chose CSRF. Maybe this is because it is much easier for web application firewalls to prevent CSRF than Mass Assignment.


Concentrating on the OWASP Top 10 2017 alone is not sufficient as highly dangerous and easily explorable vulnerabilities such as Path Traversal and Mass Assignment have been sweeped under the carped of politics and tool vendor interests. So maybe OWASP should trash the Top 10 altogether and come up with a more comprehensive list of risks. A list that people can use as a solid starting point for digging into web application security.

Added 08/22/2017: There is a followup OWASP Top 10 Relaunch.

One thought on “The Real OWASP Top 10

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s