High-Tech Bridge's CEO Ilia Kolochenko Comments New OWASP Top 10 List
Positioning and order of some flaws is a bit subjective and may be debatable, however the document properly reflects the overall state of affairs in web application security.
“Today it’s pretty difficult to make a one-size-fits-all rating for web vulnerabilities. For example, on [non-authenticated parts of] financial institution websites - XSS are much more frequent than injections. Authenticated parts of the same websites (i.e. where you need login and password to enter) are usually prone to stored XSS, improper access controls and SQL injections, less frequently to XXE or even more exotic LDAP injections. Using components with known vulnerabilities - probably deserves a higher place in the rating - many people underestimate this tip of the iceberg. Some entries, like security misconfiguration is probably too broad and may lead to confusion when detecting and remediating.
It's amusing and sad at the same time to see XSS in the list, a plague of web applications that is around since almost fifteen years. XSS vulnerabilities are quite simple to prevent and detect, nonetheless many web developers still carelessly push code riddled with XSSs into production. However, in our practice, we have to admit that XSS become more and more complicated to detect – quite often they reside in a web application parts almost inaccessible for automated crawlers, and thus remain undetected. HTML5, AJAX and SPAs overcomplicate web application architecture and cannot be reliably audited with old-school vulnerability scanners and automated tools. Flawed application business logic - is probably the most complicated issue, as to detect such flaws, one need to understand internal business processes of a company, and even bug bounties will unlikely ever detect them.
While addressing OWASP Top 10 vulnerabilities and weaknesses, we should keep in mind that the very first and quintessentially important step in application security strategy - is comprehensive enumeration and inventory of corporate applications, including subdomains, APIs and Web Services. At High-Tech Bridge, we developed a free service that provides an up2date and comprehensive application discovery and inventory to help companies and organizations. Without first properly identifying all your applications - any upcoming efforts may be in vain.”