Well, it's been three years coming, and the OWASP Top 10 is about to have a new revision. This version has some major improvements over the 2004 version, but some of the same problems are still there. I'll give a high-level overview of the improvements here and in future posts go over individual items in the Top 10 as I get more time to really digest the document.
Although security practitioners tend to gravitate to other taxonomies of threats, vulnerabilities, flaws, weaknesses, attacks, etc., the OWASP Top 10 is a very well-known listing of common web application vulnerabilities. So when you present your findings to a customer, you end up trying to shoe-horn your findings into one of the Top 10, which generally isn't hard because in the old version, there are some really broad categories. Most web developers have at least seen the OWASP Top 10, but might not have seen some of the more complete or better-structured taxonomies.
- Most of the recommendations are substantially better. Most of them recommend using output filtering or a protecting API. For example, the XSS recommendations are business rule input validation, output filtering, then whitelist not blacklist. SQL Injection, they recommend parameterized queries, rather than input validation. (Look out WAF vendors!)
- Most everything looks more like what we call "vulnerabilities" now. I still consider command injection, cross-site scripting, etc. to be threats, not vulnerabilities, but worded properly, you could say "vulnerable to Cross-site Scripting". While still not perfect, it's a major improvement of the previous hodge-podge of threats, vulnerabilities, and best-practices.
- All the vulnerabilities are actually web-specific vulnerabilities now. While buffer overruns could potentially occur in web applications, I'm not so sure they were one of the 10 most dangerous flaws in web applications, and I know they weren't specific to web applications.
- Most of the vulnerabilities come from the MITRE Vulnerability Trends, rather than from some list from somebody's head.
- Some specific items are still truly a subset of other flaws. For example, Cross-site scripting is its own vulnerability, not considered a subset of Command Injection. XSRF has its own vulnerability, it's not a subset of session validation (not positive that's necessarily wrong - the whole point of XSRF is that it works in spite of session checks, but I digress....)
- It still mixes threats with vulnerabilities. Cross-site scripting is something the bad guys do (threat). Insecure Cryptographic Storage is something the good guys fail to do (vulnerability).
- It actually includes language and/or framework specific fixes. While this is a good thing, OWASP doesn't have a governing board of approving recommendations from the community of additional framework-specific fixes, so you're limited to recommendations the authors could come up with. If your developers read this, they may conclude the listing of fixes is exhaustive. I recommend they have an approval panel and allow the community to submit recommendations based on language, platform, or framework. (I know, this is not what the Top 10 is for, but developers do come here first for their recommendations on how to solve the problems.