As organizations’ IT environments become increasingly more complex, so too does the software they install on their systems. Software developers and managers have embraced microservices written in node.js and Spring Boot, for example. These new types of dynamic applications challenge organizations to establish appropriate trust chains and secure old code hosted on the web. Single-page applications, which are in part due to the emergence of JavaScript as the web’s primary language, have also helped shift fundamental application technology and architecture.

These changes are not without their drawbacks. Pushed out by ever-shortening software programs’ lifecycles, some applications suffer from risks that undermine the digital security of financial, healthcare, retail, and other business sectors. It’s important that developers and managers learn about these most common risks so that they can secure their applications.

Towards that end, the Open Web Application Security Project (OWASP) releases the top 10 most critical web application security risks on a regular basis. It culls this information from more than 40 data submissions received from companies specializing in application security, with the data spanning vulnerabilities gathered from hundreds of organizations and over 100,000 deployed applications and APIs.

OWASP rates each risk according to its exploitatability, weakness prevalence, weakness detectability, and technical impacts. These risks are ever-changing. For instance, 500 peer submissions from the community provided OWASP with two forward-looking risk categories to add to its list in 2017. The organization also added a new category from source code analysis security testing (SAST) data sets.

There were additional changes. Two old categories that made OWASP’s Top 10 in 2013, Insecure Direct Object References and Missing Function Level Access Control, merged together into a single category “Broken Access Control” for its 2017 list. Additionally, OWASP retired Cross-Site Request Forgery (CSRF) along with Unvalidated Redirects and Forwards based upon (Read more...)