Security Top 10

Taj Mahal is one of the Seven wonders of the world. In other words, it’s the Top 7 Wonders of the world. In the same way, in security, we might be familiar with the OWASP Top 10, SANS Top 25 and other Top 10. The question is are we understanding the use case of these Top 10 or not? These Top 10’s are the top 10 of x number of risks/vulnerabilities an application can have. what about custom Top 10 Security issues? is it worth it?

List of Popular Security Top 10

1. OWASP Top 10

2. OWASP Top 10 Security Controls

3. OWASP API Top 10

4. OWASP Cloud Native Appsec Top 10

5. OWASP Kubernetes Top 10

6. OWASP CICD Top 10

7. CWE/SANS Top 25

8. CSA Top 11 Threats

Importance of Top 10

1. Eliminate the risk/root cause from the Top 10. Create your custom Top N based on the most impactful for your organisation and strive to eliminate them rather not managing them.

2. Benchmarking results against Open source and paid vendor tool results.

3. Most of the Security interviews for security engineer is based on Security Top 10. So knowing OWASP Top 10 is a bare minimum for candidates to pass the interview. But learning should not get stopped at Security Top 10’s.

4. The Vendor should cover the Top 10 as a base minimum. Vendors should go above and beyond covering the Top 10’s. That’s why one of the reasons that the vendor has a security research team to uncover new vulnerabilities/risks and update its security product.

5. Never use it for prioritising vulnerabilities. There are better frameworks such as the SSVC prioritising framework.

I am taking the famous OWASP Top 10 Web Application Security risks to start with. The below image shows the OWASP Top 10 transition from its incubation.

If you have seen the progress of OWASP Top 10 from 2003 till 2021, it’s a mix bag of symptoms and root causes. OWASP Top 10 has shifted to root causes rather than symptoms ( individual vulnerabilities).

OWASP collects data from the data survey and ranks based on the below factors which they have mentioned in OWASP Top 10 page

1. CWEs Mapped: The number of CWEs mapped to a category by the Top 10 team.

2. Incidence Rate: Incidence rate is the percentage of applications vulnerable to that CWE from the population tested by that org for that year.

3. (Testing) Coverage: The percentage of applications tested by all organizations for a given CWE.

4. Weighted Exploit: The Exploit sub-score from CVSSv2 and CVSSv3 scores assigned to CVEs mapped to CWEs, normalized, and placed on a 10pt scale.

5. Weighted Impact: The Impact sub-score from CVSSv2 and CVSSv3 scores assigned to CVEs mapped to CWEs, normalized, and placed on a 10pt scale.

6. Total Occurrences: Total number of applications found to have the CWEs mapped to a category.

7. Total CVEs: Total number of CVEs in the NVD DB that were mapped to the CWEs mapped to a category.

From the above factors. it’s based on the frequency and impact that they have seen. Usage of OWASP Top 10 is captured below and how reliable it is. OWASP Top 10 is the bare minimum to be safeguarded and go more than than TOP 10 to get confidence.

Custom Top N list

Though OWASP Top 10 is based on frequency and impact, it does not have the context and thats where Custom Top N can fill the context. Custom Top N list is OWASP Top 10 for your product and business needs. for example, if you have a team with less bandwidth, OWASP Cloud Native Top 10 works better for you than OWASP Top 10 which will be your Custom Top 10. It’s a mix of application security and cloud security Top 10.

In vulnerability Management, categorising identified bugs to have insights on which class of bug is causing the most impact and frequency can help us to drive those risks to be eliminated. Categorising vulnerability management should be based on CWE. Collecting the CWE categorisation and mapping to Security Top 10’s will give you good insights. Your custom Top N can concentrate on number of times the SLA has been breached and the impact of the Root Cause to drive those to closure.

CWE provides CWSS and CWRAF framework for creating your custom Top N list. The use case of the custom top N list is to eliminate certain classes of bugs which can be deadly for your business.

Where is the full list of Web Application Bugs?

CWE is categorized into pillars, class, base. Pillars are top categorisations such as a list of software weaknesses and a list of hardware weaknesses. Class is a category of one or more individual weaknesses. The Base is an individual weakness. CWE-1003 pillar contains the full list of software-based CWE.

Can we use the Top 10 for prioritising vulnerabilities?

The Top N was used for prioritising vulnerabilities a decade back which concentrates on those vulnerabilities in Top N and prioritises the fixes. But that is a false hope. We have to prioritise all bugs that have a critical impact on the business. An XSS can be critical based on the nature of the application. An injection can be an information bug based on the nature of the application. Rather than prioritising vulnerabilities to fix, we have to focus on eliminating the top N, where the real value of Custom Top N comes.