Yes, the OWASP 2017 is coming but that doesn't mean it's your bible.
Finally OWASP is performing a revamp of the Top 10 web-vulnerabilities as per the inputs received from the community. For the first time the OWASP community have also shared the inputs received from different Security consulting/ services firms. Reading through the list, it gives a good idea on what kind of vulnerabilities are more common in the industry, and the ones where the attacks have declined!
The key changes released with the current release candidate (2017 rc1) version of OWASP Top 10 are,
Merging of categories:
- A4/2013 + A7/2013 = A4/2017
Insecure Direct Object References & Missing Functional Level Access Control are merged in as Broken Access Control in the current release candidate.
It was split in two categories in 2007 to stress the importance of each control. Now, with the decline in such findings - it's time to unite them as one!
Addition of new category:
- 2017-A7: Insufficient Attack Prevention
Based on the data shared by the community/ companies, it's observed that companies lack basic capabilities to prevent, detect and respond to automated attacks like scripts, tools, brute-force, fuzzing etc. It will as well include provision to flag missing patches to prevent script kiddies lurking in the backyard.
- 2017-A10: Unprotected API(s)
There has been a fast transformation and applications are moving to the cloud. These are often accessed via rich application running on modern browsers, and mobile application (thin/ native). With an increase adoption of such API(s)like REST:JSON, SOAP:XML, RPC etc, the security is neglected. These API are often insecure, and contain vulnerabilities. This needs to be addressed, and hence brought into spotlight.
Deletion of a category:
- 2013-A10: Unvalidated Redirects and Forwards
This category has been removed from the current release candidate due to the fast decline in the findings.