OWASP Top 10 – Still The Same After a Decade

The year is closing and its now time to reflect back on the hot mess that was 2020. The only thing missing so far is having Umbrella Corp handing out the COVID vaccine and kicking off the zombie apocalypse. We have survived fires, earth quakes, volcanoes, floods, murder hornets, giant globe spanning dust storms and a plague of locusts.

One of the things I keep coming back to is the OWASP Top 10 list. Sadly, it has changed little in the last decade, largely because of crappy programming practices. I will post screen grabs of the 2010 and 2020 Top 10 so you can see what I mean. A few things have moved around but injections are still at the top of the list. Given how easy it is code better than this, I find this inexcusable. For the 10 millionth time, sanitize your inputs people. Its literally 5 extra lines of code, if that. I have a whole blog post on how to do it.

Broken authentication is now in the number 2 spot, up from number 3 in the earlier version. Cross Site Scripting is now in the number 7 spot. We know how to not do these things so I am puzzled as to why this is not defacto included in software specifications.


Leave a Reply

Your email address will not be published. Required fields are marked *