OWASP just released a new Top 10 for 2013, updating the list of key web application security weaknesses to reflect the evolution of the highest risk vulnerabilities. While everyone loves a good top 10 list, the fundamental question I wrestle with is, has the OWASP Top 10 been effective?
The OWASP Top Ten has been around since 2003, however, only the last two iterations, 2010 and 2013, have been prioritized by risk. While top of mind as a topic in security circles, the OWASP Top 10, and secure coding practices in general, don’t seem to be top of mind in many development shops.
Since the release of the 2010, risk-based top 10 list, there is very little direct evidence that web applications have become more secure.
The 2013 Verizon Data Breach Investigations Report (DBIR) shows decreases in threat action via hacking and malware and increases via social engineering and physical access. Can decreases in hacking and malware that might exploit vulnerabilities in web applications be attributed to increased security in web applications, as a result of secure coding practices inspired by the OWASP Top 10 of 2010?
The OWASP website provides a list of the companies and organizations that participate in developing the OWASP Top 10 as well as a listing of companies that utilize the OWASP Top 10. While this is not an exhaustive list, and there are certainly some significant companies identified, the application development community as a whole has not necessarily embraced the OWASP Top 10, or application security in general.
A 2012 Ponemon Institute study indicates that over 70% of developers feel that security is not adequately addressed in their SDLC, and over 50% indicated that their organizations do not have a training program on application security.
Adoption of secure development practices will continue to struggle as organization management focuses on low hanging fruit for risk management. When secure application development becomes one of the top priorities for management, the long development cycles of complex applications will ensure that real security is still a ways off in the future.
Application developers, designers and architects need to embrace secure development practices, regardless of organizational mandate. A grass roots effort to begin incorporating secure development concepts like the OWASP Top 10 can help to prohibit security breaches in the future; why wait for management to mandate that you follow guidelines that clearly make sense now?
What do you think, can the development community change the tide to do the right thing?