Full Text

The new release of the OWASP Top 10 list is out for public comment from the Open Web Application Security Project, and while most of it remains the same there are a couple of new additions, focusing on protections for web applications and APIs.

To make room for the new items, a couple of older ones were either removed or merged into new items.

The fact that the list hasn't changed much since its first release in 2003 is both good and bad, said Jeff Williams, CTO and co-founder at Contrast Security.

Williams worked on the first OWASP Top 10, and was the chair of OWASP from 2003 to 2011.

"It's good that the threats aren't changing that much," he said. "If they were changing dramatically, it would be a lot harder to keep up. This is like the devil we know."

On the other hand, the list also shows that companies are having problems dealing with the most basic of problems.

"It's still amazing to me that we're still struggling with SQL injections and cross-site scripting," he said. "We should be able to stamp them out, but we're not. We're not making any progress at all."

This edition of the list is based on new research, with data from more than 40 industry partners, covering more than 50,000 applications and a total of 2.3 million vulnerabilities.

"On average, across all the 50,000 applications that were part of...