OWASP Top Ten web app risks are being updated, but are they the right ones?

Months in the making, the OWASP Top Ten Project has released the proposed 2017 update of for public and private comments from application security professionals.  This is the fourth update to the list that was first published in 2003 when the order reflected the most prevalent risks.  Since 2010, the list has been based on the priority order of risk.

The proposed 2017 list contains two new categories that reflect the changing nature of threats and solutions.  “A7 Insufficient Attack Protection” describes the risk that exists when an application is not protected using a security solution and includes vulnerabilities such as anti-automation and attacks such as brute forcing. This category also highlights the importance of logging.

On the downside, the title and the scope of this category is very broad. Additionally, this category appears to promote security solutions such as WAFs despite the fact that WAFs have been proven insufficient and in, many cases, create a false sense of security because of large numbers of false positives and negatives.

The second new category, “A10 Unprotected APIs,” is another very broad category that includes all types of vulnerabilities that can apply to any type of API. Because of such a broad nature, it overlaps with most of the other categories.

The rest of the Top Ten list remains largely unchanged with two exceptions. After evaluating the 2013 list, the project team combined two previous, but related categories – A4 Insecure Direct Objects References and A7 Missing Function Level Access – and deleted A10 Invalidated Redirects and Forwards. The 2013 versions of A4 and A7 were originally a single category until 2007 and have been recombined because the project team believes it’s no longer necessary to draw attention to the two halves of the same problem.

The 2013 version of A10 was dropped because the underlying threat has not developed as expected since its introduction in 2010.

Public and private comments will be accepted until 30 June, 2017.  The final list is expected to be released in late summer along with the public comments received during the review period.

Waratek encourages you to download the proposed list here.  You may direct your public comments to the OWASP Top Ten Project Email List and your private or anonymous comments to Project Leader Dave Wichers.


Apostolos Giannakidis

Security Architect

Apostolos drives the research and the design of the security features of Waratek’s RASP container. Before starting his journey in Waratek in 2014, Apostolos worked in Oracle for 2 years focusing on Destructive Testing on the whole technology stack of Oracle and on Security Testing of the Solaris operating system. Apostolos has more than 10 years of experience in the software industry and holds an MSc in Computer Science from the University of Birmingham.

Related resources

Ready to scale Security with modern software development?

Work with us to accelerate your adoption of Security-as-Code to deliver application security at scale.