My company, Bionic, announced our platinum sponsorship of the OWASP Organization. Everybody knows that the OWASP Top 10 is the gold standard for application security, so I think this news is impressive. I have been in the application security industry for 17 years, and OWASP has been there with me every step of the way.
Something to think about
I think that the OWASP top 10 is excellent. It is backed by many brilliant people and is easy to understand. But is it the beginning, the end, and everything in between for application security?
If your organization focuses on the OWASP top 10, are you 100% secure? That is a difficult question to answer, but my opinion is “no.” OWASP Top 10 is a considerable part of application security, but it does not cover everything.
Poll Data that doesn’t support my thoughts
I typically run a poll each week on Linked with different thoughts on application security. This past week I ran a poll that asked, “As an application security professional, what do you focus on most in your job?” and the responses backed up that the OWASP top 10 is what people focus on most. Well, that and educating developers on security. We will tackle that challenge later
The poll results explained
Let’s look at the options other than OWASP Top 10 that people had the option to choose:
Educating Developers on Security:
This tied “Finding OWASP Top 10 Issues” in the polling, so it is a big deal and a primary focus of application security professionals. If we can teach developers how to code securely, we can prevent issues before they even exist. Educating developers on security is very important but a huge challenge
Researching New Threats:
This option received the fewest votes, and I have a pretty good idea why the response to this option was so low. There is not enough time in the day or resources available to look for new things when so many security issues already need to be fixed. This is a very reactive approach to risk IMO, as you are constantly trying to put out fires rather than preventing fires in the first place
Researching new AST products:
This option received more votes than researching new threats. Again, time and resources are always a challenge for application security teams, so they are looking for a solution to scale these limited resources and time constraints. Most AST tools only focus on one type of application security issues such as code, running applications, APIs, or open-source.
Why is the OWASP top 10 still 10?
The OWAP top 10 has been around for a long time. People have invested a ton of time, resources, and money in mitigating OWASP to 10 issues. The problem is that these issues continue to exist.
By now, you would think it would be an OWASP top 8 or even an OWASP top 5 as we have eradicated so many of these issues, but that is not the case. We continue as an industry to look at the vulnerabilities themselves and not the root causes on an architectural level.
What do you miss when you only focus on the OWASP top 10?
This is a very extensive list, so I will only focus on a few topics that immediately come to mind. These issues are just as crucial as OWASP top 10 type issues, but if you spend all your time looking at OWASP top 10 type issues, you will never find them.
Application Drift
If the architecture of your application changes and you do not know about it, you will continue to find OWASP top 10 issues. Run all the AST scanners you want against the source code or running application, and you will find issues.
But do you know what you are pointing these scanners at? How many services make up your application architecture, and how does the architecture change with aggressive CI/CD pipelines.
Security issues do not always have a structure
Most of the issues in the OWASP top 10 issues have a specific format and definition. But what about potential issues that may not be an issue today but could be tomorrow. I am talking about Zero Day type vulnerabilities that suddenly make secure applications insecure. Hello Jog4Shell
PII data is king
Most of the hacks we hear about focus on getting at PII data in some way, shape, or form. The type of issues that The OWASP top 10 calls out are all about getting to the data but not the data itself.
Think SQL Injection.
But do you know where all the PII data in your application is accessed from? Do you know every data flow, secure or insecure, that touches PII data? Do you know if services that have a critical CVE and are internet-facing are accessing PII data?
So how do we help with OWASP top 10 overload?
As an industry, we need to understand better the application architectures we are trying to secure. No matter what *AST technology you point at an application, you will find some security risk. So instead of just teaching developers to code more securely, why don’t we focus on architecting applications more securely?
Not only architect them securely from the start but continuously monitor them for application and architectural risk and drift. This is Application Security Posture Management.
Final Thoughts
The OWAP top 10 is a fantastic resource and helps organizations prioritize the remediation of the findings they are getting from their AST tooling.
Application Security Posture Management helps minimize the number of results in the first place by allowing app sec teams a holistic understanding of the applications they are trying to secure. ASPM makes EVERY *AST tool better as it gives context that is unknown.
ASPM and the OWASP top 10 is like Batman and Robin – A dynamic duo.