FALL 2017.2 Communique of the Department of Computer and Information Sciences
Top 10 Security Risks of 2017 | OWASP by Christina Cardoza
The Open Web Application Security Project (OWASP) officially released its Top 10 most critical web application security risks. This is the first time the organization has updated the Top 10 since 2013. “Change has accelerated over the last four years, and the OWASP Top 10 needed to change. We’ve completely refactored the OWASP Top 10, revamped the methodology, utilized a new data call process, worked with the community, re-ordered our risks, rewritten each risk from the ground up, and added references to frameworks and languages that are now commonly used,” the OWASP wrote in the Top 10 2017. According to the OWASP, some significant changes over the past couple of years that resulted in an update to the Top 10 include microservices, single page apps, and the dominance of JavaScript as a primary language on the web. The Top 10 now consists of: 1. Injection 2. Broker Authentication 3. Sensitive Data Exposure 4. XML External Entities (XXE)
WHAT’S INSIDE An Artificial Synapse That Can Learn Autonomously
2
UNSW team develops cyber security education app
3
Common Data Structure Operations
3
Physicists Quantum Entangle Silicon Devices to Send Information Over a 20-Centimeter Distance
4
Why companies are switching to Everything as a Service
5
Quality Hacks
6
5. 6. 7. 8. 9. 10.
Broken Access Control Security Misconfiguration Cross-Site Script (XSS) Insecure Deserialization Using Components with Known Vulnerabilities Insufficient Logging and Monitoring
XXE, insecure deserialization and insufficient logging and monitoring are new to the Top 10. Broken access control is a combination of 2013’s insecure direct object references and missing function level access control. In addition, the OWASP has removed unvalidated redirects and forwards, and cross-site request forgery from the Top 10. “Why have CSRF and unvalidated redirects and forwards been removed? It’s time to move on. The data for these is no longer strong enough to warrant inclusion, especially when we only have 8 data supported spots with our new methodology, and these two items didn’t rank in the community survey. This is actually a sign of success; the fact that CSRF is finally going away is a sign that the OWASP Top 10 has been successful at its mission,” the OWASP wrote in a blog post. The community survey, which received more than 500 responses, did agree on the inclusion insecure deserialization and insufficient logging and monitoring, according to the OWASP. “These two items were obviously top of mind for many this year considering the era of the mega breach is not slowing down,” the OWASP wrote. (Continued on page 2)
1