Seleccionar página

As someone who knows a lot about WordPress security, this one has a fond place in my heart. It’s almost certainly the most common cause of compromise in WordPress, because so many end-users don’t understand the importance of updating all their components. The OWASP document specifies that it’s possible with at least Java as well. Basic integrity checks and/or keeping the serialized format totally secure is smart. XSS, or cross-site scripting has fallen a good distance in the 2017 revision of the OWASP Top Ten. The reason for this is that it’s so often cited as a security vulnerability, the likelihood of people making mistakes that render their application vulnerable has declined a good deal.

OWASP Top 10 2017 Update Lessons

If the bank’s payment system implements money transfers using an HTTP GET request, nothing is stopping the disaster from happening. The browser then sends the request to the bank’s payment system, instead of the forum’s back-end. The entire team from The Software House has invested an incredible amount of time to truly understand our business, our users and their needs. This is the start of a longer series of blog posts, which deals with how to build a CI/CD Pipeline to scan for the OWASP Top 10 automatically.

A3:2017 – Sensitive Data Exposure

Malicious payloads can be stored in a database, and when a website expects to retrieve information from the database, it retrieves the malicious payload and the valid data. This new category on the OWASP list relates to vulnerabilities in software updates, critical data, and CI/CD pipelines whose integrity is not verified. Exactly what its name implies, security misconfiguration is when you’ve overlooked some vulnerabilities. This includes using default credentials, leaving files unprotected on public servers, having known-but-unpatched flaws, and more, and at any layer of the software stack. Authentication is the process for making sure it’s really you accessing your accounts and data.

OWASP Top 10 2017 Update Lessons

It’s a well-considered list and deserves a complete course rather than a quick summary. What was interesting about it the 2017 update, to me, was that it went through a few different drafts, and finally did some data-analysis and polling. It’s somewhere between possible and likely that this happened in the past, but because I was authoring WordPress Security with Confidence at the time, I paid much more careful attention to the whole process. But what it is is a great baseline for discussion and processing what people want and need to know.


Overall, the list of CWEs that the OWASP Top 10 covers is long, and many things are too big for manual testing. To collect the most comprehensive dataset related to identified application vulnerabilities to-date to enable analysis for the Top 10 and other future research as well. This data should come from a variety of sources; security vendors and consultancies, bug bounties, along with company/organizational contributions.

We’ve received positive feedback related to grouping like this as it can make it easier for training and awareness programs to focus on CWEs that impact a targeted language or framework. Previously we had some Top 10 categories that simply no longer existed in some languages or frameworks, and that would make training a little awkward. For example,  Sensitive Data Exposure
 is a symptom, and Cryptographic  Failure
 is a root cause. Cryptographic Failure can likely lead to Sensitive Data Exposure, but not the other way around. Another way to think about it is a sore arm is a symptom; a broken bone is the root cause for the soreness. Grouping by  Root Cause
 or  Symptom
 isn’t a new concept, but we wanted to call it out.

Changes in OWASP Top 10: 2017 vs 2021

Several topics will be addressed in future blog posts e.g., which vulnerability scan types are available and which points can be tested automatically. We will also show you various tools and how you could build a CI/CD security pipeline with them. For the Top Ten, we calculated average exploit and impact scores in the following manner. We mapped these averages to the CWEs in the dataset as Exploit and Impact scoring for the other half of the risk equation. We spent a few months grouping and regrouping CWEs by categories and finally stopped.

An attacker might, for example, send a victim an email that claims to be from a reputable bank which includes a connection to the bank’s website. This connection could have malicious JavaScript code attached to the end of it. If the bank’s website isn’t correctly secured against cross-site scripting, malware code can be executed in the victim’s browser when they click on the URL.