Yeah, this is neat looking, but there is nothing resembling the rigor or even simple empiricism baked into the OWASP Top 10 to enable this kind of visualization. The Top 10 is ultimately a marketing mechanism for web software security. That's not a bad thing! Web software security can use all the marketing help it can get. But, regardless of what anyone at OWASP says about this, I don't think there's much validity either to the way it buckets vulnerabilities into these categories, or the way it "prioritizes" them.<p>Earlier, regarding this year's Top 10:<p><a href="https://news.ycombinator.com/item?id=28470955" rel="nofollow">https://news.ycombinator.com/item?id=28470955</a>
I'm not sure how useful this is as is, over the years they've bundled/unbundled terms which this doesn't capture. "(Insecure) Design" @#4 arguably applies to many of the other top 10 (but is rightfully separated because of how often it comes up?). "(Software and Data) Integrity (Failures)" @#8 includes what was called insecure de-serialization (also @#8).
Disclaimer: I am the co-founder of Cerbos<p>Broken access control becoming the number one issue is no surprise. We have faced this so many times when building enterprise SaaS software and having to go through ISO certifications.<p>We believe re-invention of the access control wheel causes these problems at every software company because there is no good standards to start from. With Cerbos we try to address this issue in the market.<p>We wrote about this issue and how we can help solve it in our blog few weeks ago. <a href="https://cerbos.dev/blog/broken-access-control-is-the-1-issue-in-owasp-2021-top-10" rel="nofollow">https://cerbos.dev/blog/broken-access-control-is-the-1-issue...</a>
By and large your average developer hasn't really come a long way in writing more secure code and avoiding common decades old vulnerabilities. However what <i>has</i> changed is there are more people using frameworks such as angular, vue, react whereby they gain some protection those frameworks offer.<p>Though obviously there is still some shared responsibility and it's no panacea - but has had a noticeable impact on the ordering of the OWASP list.
Friendly reminder that this is about frequency, as opposed to severity. 'Cryptographic Failures' is everything from theoretical vulnerabilities which require millions of dollars to exploit, through to systems with no encryption whatsoever. Granted both should be fixed, but the latter is of far more real world consequence under most threat models.<p>My personal and current recommendation for developers is to focus on sane authorisation models - I commonly see direct-object type vulnerabilities related to cross-user/organisational access where the user is the correct role / privilege level to access a resource, but has no association with the record owner. An example of this would be a a multi-tenant web-store where an admin for the EvilCorp entity can modify products belonging to InnocentPtyLtd.<p>I also suspect poorly configured CORS policies might be in the top 10 in a few years time due to situations where SPA apps (who will inevitably use JWT) and traditional cookie apps are hosted using similar configs, resulting in the latter being vulnerable to CSRF-type attacks.
OWASP Top 10 is subjective to a certain extent, because it is consensus-based. At the same time, it is very useful to most developers and pen testers (and security tool makers), in preparing a list of vulnerabilities to check for. Consider it as a starting point.<p>With cloud platforms rising in popularity, the top two rising to those spots is not surprising. From a cursory glance, they seem to have added more scenarios under those two as well.
While access controls is now top of the list this year, a SAML integration to Flourish Studio is only available in the enterprise plan (for pricing contact them).<p>This is probably why access control is number 1.<p>SAML and MFA should be available for all plans. Secure access should not be gated just to the expensive plans.<p>Disclaimer: I was involved in the design of the MFA and SAML integration UX for saas pass.