Wednesday, August 2, 2017

OWASP Top 10 2017 Project Update

The OWASP Top 10 is the most heavily referenced, most heavily used, and most heavily downloaded document at OWASP. Therefore, it rightfully has a greater level of scrutiny and a greater level of review as befitting a Flagship project.


The previous Top 10 leaders have passed the baton for this project on to a new team and we will strive to address the feedback that has been provided over the past few months. We have discussed as a team and at the OWASP Summit what steps must be taken and what changes must be made to the OWASP Top 10.


A summary of changes is listed below, please read further to understand more of the why behind them:
  • The Top 10 will focus on Vulnerability Categories.
  • Feedback on the mailing list has been moved to the Issues List (https://github.com/OWASP/Top10/issues) in GitHub, please continue to contribute feedback there.
  • The content of the document will be extracted to provide easier translations.
  • Scoring for Top 10 entries is intended to be based on Common Weakness Scoring System (CWSS)
  • For the 2017 Edition, 8 of 10 vulnerabilities will be selected from data submitted via the call for data and 2 of 10 will be selected from an industry-ranked survey.
  • A ranked survey (https://goo.gl/forms/ltbKrdYrp4Qdl7Df2) is now available for industry professionals to select two new vulnerability categories for inclusion in the Top 10 2017. The deadline for the survey is 30 August, 2017.
  • The call for data (https://goo.gl/forms/tLgyvK9O74r7wMkt2) is now reopened to allow for additional data to be collected for analysis. The new deadline for the extended data call is 18 September, 2017.
  • The Top 10 2017 RC2 will released for review and feedback 9 October, 2017.
  • The final release of the Top 10 2017 is targeted for 18 November, 2017.


OWASP Top10 Timeline-v2.png


The OWASP Top 10 has always been about missing controls, flawed controls, or working controls that haven’t been used, which when present are commonly called vulnerabilities. We have traditionally linked the OWASP Top 10 into the Common Weakness Enumeration (CWE) list maintained by NIST / MITRE. We will continue to align with CWEs and utilize the CWSS scoring system to help provide an industry standard measurement.
For the Top 10 2017, we will be focusing on vulnerability categories. These categories will be mapped to one or more CWEs where possible. The scoring system for the Top 10 will be updated to leverage the CWSS as much as feasible. Like the Common Vulnerability Scoring System (CVSS) for specific Common Vulnerabilities & Exposures (CVEs), we are intending to use CWSS for vulnerability categories. In the scenario where there are multiple CWEs, we will use the high-water mark; if there is a vulnerability category without a matching CWE, we will do what we can to align a CWSS score.
Although the OWASP Top 10 is partially data-driven, there is also a need to be forward looking. At the OWASP Summit we agreed that for the 2017 Edition, eight of the Top 10 will be data-driven from the public call for data and two of the Top 10 will be forward looking and driven from a survey of industry professionals. The OWASP Top 10 will clearly identify which items are forward looking: we will use the CWSS score of these items (if a CWE for the issue exists) or our best judgement on where the issue will be ranked in the Top 10.


The extended call for data can be accessed here: https://goo.gl/forms/tLgyvK9O74r7wMkt2
The two items that are not data-driven will be supported by a qualitative survey. The survey is comprised of vulnerability categories that were identified as “on the cusp,” mailing list feedback, and previous call for data feedback. Respondents should rank the top four most important vulnerability categories from their knowledge and experience. The two vulnerability categories with the total highest ranking will be included in the Top 10 2017. The information will also help us develop a plan to better structure the call for data for the OWASP Top 10 2020.


The survey can be accessed here: https://goo.gl/forms/ltbKrdYrp4Qdl7Df2


Every single issue in the OWASP Top 10 should have a direct cause: either one or more missing or ineffective controls, or not using an in place control. Every issue should be precise in its language and view (as in not intermingling the terms “weakness,” “vulnerability,” “threat,” “risk,” or “defect”) so each issue can be theoretically testable. This will help us make a stronger and more defensible list of included items.
We aim to review and resolve ontological concerns, such as including issues that are not like the others. This means that in some circumstances, there should be a view from the Developer perspective (documented by the OWASP Proactive Controls) and a view for the Defending Blue Team (documented by the currently non-existent OWASP Defensive Controls).
Every issue should contain clear and effective advice on remediation, deterrence, delay and detection that can be adopted by any development team - no matter how small or how large. As the OWASP Top 10 are important vulnerability categories, we should strive to make our advice easy to follow and easily translatable into other languages.
From a methodology point of view, we are looking at taking lessons learned from 2017 and coming up with a better process for the OWASP Top 10 in 2020. We would like to coordinate with other teams to provide a staggered release of the other OWASP Top 10 efforts with sufficient time between each release to allow the industry to upgrade and adopt in a practical way.
Lastly, we are opening up the text to provide history and traceability. We need to ensure that all of the issues documented within any of the various Flagship projects, but particularly the OWASP Top 10, can be satisfied by developers and devops engineers without recourse to paid tools or services. There is value in the use of paid services and tools, but as an open (as in free and in liberty) organization, the OWASP Top 10 should have a low barrier of entry, and high effectiveness of any suggested remediations.
Thank you, and we look forward to working with you on the OWASP Top 10.


OWASP Top 10 Project Leaders
Andrew van der Stock
Neil Smithline
Torsten Gigler
Data Analyst

Brian Glas

No comments: