An important update in the preliminary OWASP Top 10 – 2017 rc1 report is the new vulnerability category Insufficient Attack Detection and Prevention that calls for proactive security mechanisms and ongoing attack protection methods.
Open Web Application Security Project (OWASP) is an independent non-profit foundation that is dedicated to enabling organizations to develop, purchase, and maintain secure applications and APIs that can be trusted. Among their most important work is an internationally acclaimed OWASP Top 10 report that aims to raise awareness about application security by identifying some of the most critical risks facing organizations. In April 2017, OWASP released the preliminary version of the report, and they plan to publish the final report in July or August 2017 after a public comment period ending on June 30, 2017.
Key new vulnerability: Insufficient Attack Protection
Our security experts reviewed the draft version of the report and recognized the new vulnerability category A7 – Insufficient Attack Protection as especially important, since it emphasizes the necessity for proactive attack mitigation (such as web application vulnerability scanning, code injection, etc.). In addition, OWASP recommends additional techniques for protecting against this high risk security area like the implementation of the threat detection mechanisms, virtual patching, and deployment of a Web Application Firewall.