The OWASP Top 10 is killing me, and killing you!
Found on Hewlett Packard Enterprise on Sunday, 29 October 2017
Software developers and testers must be sick of hearing security nuts rant, "Beware SQL injection! Monitor for cross-site scripting! Watch for hijacked session credentials!" I suspect the developers tune us out. Why? Because we've been raving about the same defects for most of their careers. Truth is, though, the same set of major security vulnerabilities persists year after year, decade after decade.
It's sad that eight out of 10 of the issues from 2013 are still top security issues in 2017. In fact, if you consider that the draft 2017 list combined two of the 2013 items, it's actually nine out of 10. Ouch.
It's a combination of different reasons. Developers with increasing experience, who would avoid those pitfalls, move up the ladder and don't actually develop actively anymore, but try to manage a group of unexperienced newbies who are cheaper, but make those mistakes again. Next, there is the reliance on frameworks. Projects today quickly end up in a dependency hell because the developers just pull in code from a third party that's neither monitored nor validated what can lead to massive problems that should not exist in the first place. Finally, let's not forget about deadlines. Security always has been a neglected child, because the difference between a secure and a swiss-cheese frontend is not really obvious during presentations; and when competitor A does it in half the time (and price) of competitor B, the customer will pick the cheaper solution.