The top vulnerability remains ‘injection’ and cross site scripting (XSS) is still there, four years on from the last update!
The Open Web Application Security Project (OWASP) has just updated the top ten list of web app vulnerabilities for the first time since 2013. Not much has actually changed. Given that Verizon’s Data Breach Investigations Report (DBIR) for 2017 also found that of 1,935 confirmed breaches analysed, some 571 had involved web app attacks, the seriousness of the OWASP list becomes clear.
Altogether this paints a rather sad picture of an industry that hasn’t learned lessons. But is that portrait a fair representation of the web application development business? Is it really a case of developers refusing to smell the insecurity coffee, or is there something more complicated at work here?