Update of OWASP Top 10 Sees Same Old Problems Topping the List

Released roughly once every three or four years, a new edition of the OWASP Top 10 has just emerged. But if you look back to the previous edition, issued in 2021, or even to editions older than that, it does not look like there has been a whole lot of progress in the biggest app security issues.

Most of the movement this time is owed to category revamps and mergers. There is some concrete progress to point to in certain areas, but the lead issues of broken access controls and security misconfigurations continue to dominate the list.

OWASP Top 10: Little movement in four years

The OWASP Top 10 began in 2003, and the list has stayed fairly consistent over the years in terms of high-ranking endemic problems. There are some important limitations to note, however. One is that it stays for the most part to its “pre-cloud” analysis format; for example, were it to prioritize threats to cloud hosting and infrastructure, the #2 position (security misconfigurations) would easily swap into the #1 position (broken access controls).

It also does not include LLMs and generative AI, which have their own separate list that was just begun two years ago. It also does not really make distinctions between commercial and open-source software in its analysis, a potentially important thing to note due to the nature of “support” for each. While commercial software generally has a definite end-of-life, open-source is far more murky with its forks and revivals after periods of dormancy.

With all that in mind, the most progress seen in the current OWASP Top 10 is with threat modeling and secure-by-design principles. There is a general uptick in these elements being properly addressed in the planning and design phase of software that has been reflected by some movement of categories up and down the board.

OWASP Top 10 surveys over two million apps

The current OWASP Top 10 is based on data for over 2.8 million apps donated by a variety of large cybersecurity firms, along with a survey circulated to security professionals. The analysis of apps necessarily lags behind the most current trends, so the survey helps to provide a more recent picture of the threat landscape.

But it appears you can set your watch to access control issues being a leading problem, no matter what else changes. The report finds 3.73% of the analyzed apps impacted by the #1 category of flaws; some examples of how this manifests is the ability to “brute force” guess URL or user ID numbers, or ways to obtain permissions without passing access control checks. This category was also given a boost by having the server-side request forgery category, formerly the #10 seed, merged into it.

Much of the rest of the list is steady in rankings from OWASP Top 10 2021, with “security configurations” making the biggest jump (from #5 to #2). The former #2-4 spots slid down uniformly to #4-6. The new #3 position belongs to software supply chain failures, which is a revision of the former “vulnerable and outdated components” category that moved up from its previous ranking after being refined.

One final point of interest is a new category coming into the #10 position that was vacated by the “access controls” merger. The new category is “mishandling of exceptional conditions,” which addresses an assortment of abnormal conditions such as failure to open or incorrect error handling.