Tips for software developers using OWASP Top 10 in 2020

Many software developers and web application security professionals have heard about the postponement of the 2020 planned release of the OWASP Top 10 Most Critical Web Application Security Risks. The OWASP Foundation recently cited several reasons for the delay, primarily related to the Coronavirus pandemic. The OWASP Top 10 is a critical resource for developers and technology professionals, as it informs them about the most critical security risks to web applications. The industry relies heavily on this globally recognized standard awareness document. 

According to OWASP, the pandemic created delays in scheduling the collaborations necessary to obtain data from organizations, performing the data science and analysis to identify the new Top 10, and obtaining the industry and media buy-in to drive awareness. The organization is now targeting mid-February for the new OWASP Top 10 release to coincide with the OWASP Global AppSec Days to be held in Dublin, Ireland.

Despite the delayed release, there are actions developers can take now to secure their applications. Many of the risks identified in 2017 still apply today, according to Global Learning Systems, OpenSesame’s training partner that specializes in secure coding training for developers. 

Effective and relevant aspects of OWASP Top 10 2017

Until the release of the new Top 10 next year, the 2017 OWASP Top 10 remains highly relevant. Global Learning Systems advises that we can expect to see many of these same risks on the 2021 Top 10 list, based on the data breaches and incidents that have occurred since the current list was published. In fact, one of the challenges application security professionals face is the stubbornness with which the same risks persist year after year. Historically:

    • Only three new risks were added between the 2013 and 2017 versions of the OWASP Top 10 list: A4: XML External Entities, A8: Insecure Deserialization, and A10: Insufficient Logging and Monitoring. 
    • Injections was #1 on the 2017 list and has been on every version since the inception of the Top 10. It also ranked #1 in 2010 and 2013. 
    • Broken Authentication was #2 in 2017 and 2013 and has appeared on every version of the list. 
    • 2017’s A7: Cross-site Scripting has made every Top 10 list since 2003.
Tips for securing your web application development in 2020
    1. Make sure your developers are well-informed on the 2017 OWASP Top 10. A complete understanding of this awareness document is the bare minimum your development teams should have to improve application security. 
    2. Offer on-going OWASP Top 10 technical training using real-life scenarios. Failure to continue educating and raising awareness of the current 2017 Top 10 puts your applications, data, and clients at risk.
    3. Stay informed of the latest security incidents and data breaches and share these updates with your development teams. Information alerts them to risks they may need to investigate and remediate in their code. 
    4. Follow the OWASP Top 10 team on Twitter for the updates on the new Top 10. 
A glimpse at how the new OWASP Top 10 is being developed

The OWASP Foundation has provided information about the methodology of the new Top 10. The organization will continue to collect data from as many sources as possible; use evidence-based, data science-driven standards; remain community-driven and reviewed; and align with other key standards and Common Weakness Enumerations (CWEs). OWASP is also improving its approach by enhancing its data science and community-driven qualitative process, allowing anonymous data submissions, and improving the presentation’s visual look while providing more ways for consumption. 

For more information on OWASP and secure coding training, as well as other cybersecurity awareness training, check out available courses from Global Learning Systems in the OpenSesame course catalog.

Marina Kelly is Technical Director and Data Protection Officer at Global Learning Systems. She holds an M.S. in Computer Science from the University of North Carolina at Greensboro and B.A. degrees in History (with Honors) and Education from St. Andrews University. After 10 years as a classroom teacher followed by various IT positions, Marina’s love of development, education and the minutiae of security and privacy intersect in her current role at Global Learning Systems.