Latest edition of OWASP Top 10 for web application was in 2013 and for mobile applications, it is 2016. Why is it so?
Can we say that the pattern in the web application vulnerabilities is settled? Will same thing happen to mobile based applications?
Why OWASP Top 10 (web application) hasn't changed since 2013 but Mobile Top 10 is as recent as 2016?
4 Answers
The reason for the delay is that there has been little change in the Web T10. As stated by Dave Wichers, the Web T10 project lead, on 30 June 2015:
Historically, we've produced a new OWASP Top 10 every 3 years because this seems to balance the tempo of change in the AppSec market, all the work everyone does to map their tool/process/other thing to each version of the OWASP Top 10, and the effort required to produce it. We've been producing a new one every three years since 2004 (i.e., 2007/2010/2013), and so a new version for 2016 is due. (Definitely not happening in 2015).
However, we've been thinking about what might change in a 2016 release of the Top 10 and we don't actually think it would change much, if at all, which is kind of sad actually. I suspect some Top 10 items might move up or down based on the vulnerability prevalence statistics that we would need to gather and process, but I have my doubts that any new vulnerability types would break into the Top 10.
As such, given that we don't expect the list to actually change in any substantial way, the project has decided to defer the next update to a 2017 release.
This table from the 2013 T10 Release Notes demonstrates the small change: The changes were largely due to rethinking how to categorize the raw data, not due to significant changes in the data.
Some have postulated that the level of effort for creating the T10 was a factor for delaying it. While it is a lot of work, I do not think that was a major factor. The Web T10 is OWASP's most recognized project and always has lots of volunteers (I contributed to the 2007, 2010, and 2013 ones).
Speculating as to whether the same thing will happen for mobile applications, I do not think that is likely in the near future. Mobile technology is still in its infancy and subject to rapid change.
- 14,621
- 4
- 38
- 55
Please note that the OWASP Top 10 was updated in 2017.
I wrote about it at The OWASP Top 10: 2013 vs. 2017.
tldr:
Three new risks were added this year: XML External Entities (XXE), Insecure Deserialization, and Insufficient Logging and Monitoring.
Two items were removed from this year’s top 10: Cross-Site Request Forgeries (CSRFs) and Unvalidated Redirects and Forwards.
Two risks from the 2013 report (Insecure Direct Object References and Missing Function Level Access Control) were merged into a single risk: Broken Access Control.
- 131
- 2
They don’t update it every year and its done by volunteers in their spare time so updates can be slow as it's very comprehensive and takes alot of work. However, they are currently working on updating it this year and are asking for people to submit data towards it.
The OWASP Top 10 project is launching its effort to update the Top 10 again. The current version was released in 2013, so this update is expected to be the 2016 or more likely 2017 release. This time around, we are making an open data call so any organization with a broad set of application vulnerability statistics can contribute their data to the project. To make it easier for the project to consume this contributed data, we are requesting it be provided via a Google form. DEADLINE: Data must be submitted by July 20, 2016.
OWASP TOP 10 site accessed 13th July 2016
The reason the Mobile Top ten is up to date is because it’s a new addition compared to the OWASP TOP 10 project which has been running since 2003/2004 when mobile security really wasn’t what it is today.
- 316
- 3
- 12
Why no update?
I'm not sure but, likely there was no need, or too much discussion in the OWASP community to be able to update the web top 10 list from 2013. Also, the mobile world is evolving rapidly last years, probably that's why different vulnerabilities and needs are required and so the (mobile) security industry had to develop faster along with the mobile industry developments.
History of OWASP top 10
The first OWASP (web) top 10 list was published in 2003 and in 2004 a new list followed. Then in 2007, 2010 and 2013 new lists were released.
In 2013 the first Mobile Top 10 was created and became final in 2014. As far as I know in 2015 only a new mobile top ten analysis was done but didn't result in a final list. Now the Mobile Top 10 2016 that you referred to, is currently a release candidate document.
Developments
The Open Web Application Security Project (OWASP) is actually working on a OWASP top 10 2016 currently. Suggestions can still be submitted till July 20, 2016. Source: owasp.org.
- 6,234
- 8
- 43
- 90