OWASP Top 10 Considered Harmful
The OWASP Top 10 is frequently used in application security circles as the go-to reference for “best practice”. However, while the Top 10 approach may once have been a great way to raise the profile of application security, its time has passed. It is at best misleading and at worst outright harmful, and a more mature industry approach must be adopted to help secure the future of business applications.
When it was originally released back in 2004, the Top 10 was intended to raise awareness of application security, at a time when it did not have the attention it deserved. But fast forward eleven years and a lot has changed. The awareness agenda has been a huge success, application security is now a $2.5 billion dollar industry, and those who ignore its risks do so at their peril.
So why is the OWASP Top 10 actually a negative influence in today’s infosec landscape? Well primarily because it exists completely outside any context at all. Cross site request forgery in an online banking application would be a genuine concern, while a SQL Injection vulnerability in the application that runs on my toaster should raise a maximum of zero eyebrows — so what if someone knows how many slices I like for breakfast. By focusing on issues rather than consequences, the Top 10 brainwashes us into an unhealthy security mindset.
This is compounded by the way the list is commonly presented, stating that these ten issues are “the most critical”, when the actual guide itself says they are merely the most common. As an example the tenth most “critical” vulnerability is when applications can forward the user to a separate website, which is barely a vulnerability at all — simply a trick played on a user who may as well be fooled in a number of other ways.
The Top 10 also ignores some major potential causes of harm in business applications — workflow bypass, or “business logic manipulation”, where a user can get around restrictions that are supposed to be enforced, for example, making a trade and bypassing authorisation from the trade floor manager.
The net result is that the Top 10 educates people in exactly the opposite direction that we should be going, it emphasises cookie cutter approaches where proper consideration is required, and allows an industry to plod along with generic approaches to complex problems. But because the Top 10 is easy to consume, the AppSec industry clings to it like a crutch, struggling to walk when it should be learning to run.
It’s time OWASP officially retired the Top 10 in its current form, and started promoting security in context, to help end the crisis of context-less security that plagues many organisations today.