When an industry leader updates their flagship product, the technology community pays attention.  Any time Apple updates the iPhone, the tech media buzzes for months.  When Microsoft announced plans to update the Xbox, the gaming world debated ad nausum what could happen.  For web security, the Open Web Application Security Project (OWASP) Top Ten Project is up for a revamp, and it has the community on edge.

OWASP Updates

In what is becoming an unofficial once every three years tradition, OWASP is updating the Top Ten web application security issues for 2013.  OWASP is supplied with datasets of discovered vulnerabilities in web applications from a variety of industry firms such as Veracode, WhiteHat Security and Trustwave.   In 2004 and 2007 the list primarily reflected the prevalence of discovered flaws in these datasets.  In 2010, OWASP emphasized consideration for both severity of exploitation as well as likelihood of exploitation.   This combination of severity and likelihood, or risk, provides a more realistic view of what represents a true threat and aligns with Anitian’s practical, pragmatic approach to security.  This was, in our opinion, a big step forward for web security.

OWASP Top Ten 2013

The changes in the 2013 version of the list are far more evolutionary than revolutionary.


The rise of HTML5 and the decline in Flash have brought no fundamental changes in the web application field.  The list shows some simple reordering of categories as frequency and perception of risk of has changed in the past three years.

The Insecure Cryptographic Storage and Insufficient Transport Layer Protection entries were combined to create a new number six position titled Sensitive Data Exposure.  This unifies the protection of data both at rest (storage) and in motion (transport).

Using Known Vulnerable Components is a new entry in the number nine slot.  It is a breakout from the previously existing Security Misconfiguration entry.  It earned a spots of its own to highlight the increased use of precanned modules and packages compounded with the lack of updating these components.

Contentious Number 9

However, this number nine entry has proven to be the most contentious change in this edition.  With release of the finalized 2013 list expected before the end of May, the OWASP mailing lists are filled with heated debate.

Some argue that A9 Using Known Vulnerable Components should be excluded because the vendors of these components will suffer reputational damage rather than the person or group who actually implemented the component.  Another aspect of this argument is that these third party components are part of the deployment process and not part of the actual development environment.

From our perspective, these arguments are just splitting hairs.  Web application security does not occur in a vacuum.  Insecure third-party components is an increasingly serious problem and deserves attention the list.  Whether it is a poorly designed component or a poorly implemented version of a component, it is still a serious security problem and it still demands attention.


While some of OWASP’s other projects such as their Application Security Verification Standard provide a deeper and more comprehensive look at web application security, the OWASP Top Ten list is likely to continue being a leading application security reference.  Most of the changes for 2013 are minor, with the notable exception of A9.

Regardless of the outcome, now is the time to start updating development lifecycle testing to prepare for the new 2013 OWASP Top Ten.

Anitian – Intelligent Information Security. For more information please visit www.anitian.com