May 23, 2023

What Changed with the 2017 OWASP Top 10?

Devon Lane
Founder and CEO
at Flowbase

3 Emerging IT Security Risks

With the rise of the digital age, computers have become responsible for more critical actions  than ever before, and infiltration by malicious individuals has become far more than a mere inconvenience. As a result, IT security has also developed into a major industry. Software developers including operating system developers regularly release patches and related bulletins, and objective third parties such as OWASP also regularly discuss and release bulletins of relevance to IT security.

Today, we are going to look at some of the latest threats as put forth by OWASP.

OWASP's Top 10 for 2017

OWASP, or the Open Web Application Security Project, is a worldwide non-profit organization dedicated to software security. As a public service, OWASP maintains a list of known security vulnerabilities as reported by users and revealed by substantial security tests. Participants in this project include global IT professionals who regularly report their experiences, including vulnerabilities and approaches which have worked for them. OWASP also works closely with businesses and governments around the world to discreetly and objectively assess security vulnerabilities and work toward solutions for the benefit of the world as a whole.

Given its broad background and membership, OWASP's Top Ten list of security vulnerabilities represents a global perspective on the growing security threat. As with most security bulletins, this list provides IT professionals with critical insight into the current state of affairs. The last time OWASP published a top ten list  was in 2013; the 2017 list adds a few more threats to the previous 2013 list, while edging a few others aside in order to make room.

Here are the three new threats OWASP has added to the list for 2017.

1. XML EXTERNAL ENTITIES

Coming in at number four, XML is an aspect of internal security which is notoriously easy to overlook. Unfortunately, these very simple, easy-to-modify files often provide highly secure instructions to critical hardware. If someone without proper credentials gets into these files they can quickly use that access to compromise a server. Older XML versions allow users to validate external entities within XML files. This reflects a time when hardware and security would exist strictly onsite, secure from outside interference. Solution:  XML processors should be patched or upgraded, especially when allowing XML files to be uploaded from untrusted sources.

2. INSECURE DESERIALIZATION

At number eight on the revised list, insecure deserialization is a tricky exploit to use, but once used, it can be catastrophic to your system, since it allows hackers to run their own code on your hardware. This exploit takes advantage of the fact that some applications allow their code to be serialized, or put into a more compact form. Deserializing the code then makes it usable again. Savvy hackers can use this process to create programs which look legit on the surface but perform nasty work when deserialized. Solution: Users should not  deserialize code from untrusted sources. If code from an untrusted source must be deserialized, elaborate safety checks should be put in place to isolate the code and monitor each step of the process.

3. INSUFFICIENT LOGGING AND MONITORING

It’s one of IT security's most well-known secrets that most commercial-grade software has some form of server and client-side monitoring built in. Because logging and monitoring does require some overhead, far too many enterprise servers neglect this aspect of security. In many cases, logs may be held on individual machines without sufficient reporting or monitoring in a central server. Even if logging mechanisms are in place, filters may not sufficiently distinguish between the mundane and something truly alarming. Solution:  Logging solutions should be  in place and robust, and should include well-filtered alerts to appropriate individuals in the event that suspicious activity is found. This system should be set up with the help of a trusted professional aware of all the latest known vulnerabilities and able to provide an objective needs assessment.

Our take on it

In addition to these three new or elevated risks, the remaining seven items on the list continue to represent threats which certainly merit attention. For example, risk 5, Broken Access Control, merges two risks from the previous list: Insecure Direct Object References and Missing Function Level Access Control. Broken Access Control refers to users gaining access to files they shouldn't be allowed to view or modify. The merge of these two items highlights the ongoing growth of the top ten list.

Two items, Cross-Site Request Forgery and Unvalidated Redirects and Forwards, were removed from the list because they affect less than 10% of applications. However, even a few percent of applications still amounts to a noteworthy impact, if not enough to merit a top ten spot.

Injection and Broken Authentication remain at the top of the list, with the third greatest present-day concern, just ahead of XML External Entities: Sensitive Data Exposure. This risk has moved up from sixth place in large part due to increasing exposure of sensitive data, such as customer financial information, to third parties who should not be able to access that data.

The OWASP Top Ten List continues to provide IT professionals with a global perspective on security concerns of interest to the IT community as a whole. Schedule a consultation with our team to learn more! Our compliance experts can provide industry insights and technological solutions that can keep your business safe.

We’re here to help.

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt.

Get Started
LEARN MORE!
Responsive Components
Responsive Components
Responsive Components
Hey! Have any questions?

Frequently Asked
Questions

What type of compliance standard can you help with?

We help our clients based on their needs. The majority of our contracts involve SOC-2, HIPAA, and most recently GDPR. Feel free to ask us if we can help with your particular case. If we aren't able to, we can most likely recommend you to someone who can.

How long does a SOC 2 engagement usually take?

We move as fast as our clients are able to make progress. Our fastest client to date got their SOC-2 Type I four months after signing our engagement letter. That record is up for grab if you are up for it.

In our experience however, it takes 6-9 months to achieve a SOC-2 Type I,  and 3-6 additional months to obtain a SOC-2 Type II report.

Which standard do you follow for your security policies?

All of our security policies follow the ISO-27001 standard. The Confidentiality, Integrity, and Availability standards cover the range of standards we like to work with for SOC 2.

Why do we have to become SOC 2 compliant if we are relying on AWS which is already compliant?

SOC 2 stands for Service Organization Control, meaning your clients are interested in understanding your controls, not your hosting provider’s control. As part of your vendor assessment we recommend reviewing AWS’ SOC 2 report, but relying on their report is not enough to become SOC 2 compliant.

Who is behind SOC 2?

The American Institute of CPAs. The AICPA is an established and respected organization that provides two forms of audits to companies that demonstrate evidence of a secure data-protection infrastructure. A Type I is a point in time audit that addresses the company’s description of its system, the suitability of the system’s design, and the effectiveness of its internal data controls. A Type II report happens over a period of time and emphasizes design and also focuses on the validity of the company’s controls.

Are SOC 2 reports a legal obligation?

No, but most enterprise level organizations that engage with sensitive data (again, almost all of them) have an obligation to their stakeholders to prove due diligence regarding data security, which means they’ll want to vet their service providers using this tool. SOC 2 can help these prospective service providers set themselves apart from the competition. Just as important, a SOC 2 report represents a meaningful and respected signifier of trust.

What can happen to a company without a SOC 2 report?

A lack of a SOC 2 report won’t result in legal problems, but it can and will limit outside assessments of the company’s commitment to data security. When large-scale clients look for providers, or large-scale backers look for a likely return on their investment, they don’t want concerns about security to stand in the way. Trust is a chain made of links that have each been put the test and have proven their ability to withstand pressure and scrutiny. Company leaders are wise to let SOC 2 auditors apply this pressure so their clients and backers don’t have to.

When is it too late for a SOC 2 audit?

Never. Even companies that have been in business for years but have never obtained a SOC 2 report can—and should—take steps in this direction now. Being compliant with SOC 2 can open the door to a broader base of more significant clients and larger contract opportunities. That being said, startups in the threshold of the marketplace, and new business owners who hope for an eventual public offering, should obtain a SOC 2 report during the development and financing process. By the time the company approaches Series B and C fundraising rounds, a report should be in hand.

How complicated is the auditing process?

The auditing process can be easy, or complicated depending on your level of preparation.

Preparing for the audit can take some time, attention, and the guidance of reliable data security experts. Don’t leave any part of this process to chance. Approach SOC 2 compliance one step at a time, and start by contacting a consulting firm with track record of experience in your area of the marketplace.

Home
Resources
Contact
Raze™ All Rights Reserved, 2022.
Style Guide
Licence
Changelog