Professional Documents
Culture Documents
Openweb PDF
Openweb PDF
A5:
• In 2013, A5 went to Security Misconfiguration
• 2013’s A4 (Insecure Direct Object Reference) and A7 (Missing Function
Level Access Control) categories have combined to become Broken
Access Control
A6:
• 2013’s A5, Security Misconfiguration has
been placed at A6 in 2017
A7:
• Previously, this spot went to Missing
Function Level Access Control
• Now occupied by Cross-Site Scripting
(XSS)
Breakdown of Changes Between 2013 and 2017 Part 3
A8:
• The now removed category, Cross-Site Request Forgery, sat here in
2013
• Insecure Deserialization (a new category) has been placed at A8
A9:
• Unchanged, remains as Using Components with Known Vulnerabilities
A10:
• 2013’s A10, Unvalidated Redirects and Forwards, was removed from the
Top 10
• Now occupied by the new category, Insufficient Logging and
Monitoring
Summary
• The OWASP Top 10 does not cover every web application security
vulnerability
• The Top 10 is a fantastic foundation on which to build an application
security plan that also considers the needs of the application and
organization
https://www.cypressdatadefense.com/contact/
Email: info@cypressdatadefense.com
REFERENCES:
“XKCD ‘Exploits of a Mom’” https://xkcd.com/327/
“OWASP Top 10 - 2017” https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf