Fetching contributors…
Cannot retrieve contributors at this time
67 lines (49 sloc) 3.17 KB
layout title type owasp-project track technology related-to status when-day when-time location organizers participants outcomes
Sign Ceremony for Owasp Top 10 2017
Owasp Top 10 2017
Dave Wichers

The OWASP Top Ten provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are.


Given the controversy and comments made on the new version of the OWASP Top 10 2017, it is critical that after all the Summit's Working Sessions, participants (both at the Summit and attending remotely) can agree on the final version of the OWASP Top 10 2017, and provide 'on the record' support by signing it.


  • Sign the OWASP Top 10 2017 version


This Working Session will result in a finalized and signed version of OWASP Top 10 2017.


The target audience for this Working Session is:

  • OWASP Top 10 2017 Authors and Contributors
  • OWASP Community and Industry
  • Product/Service vendors
  • Organisations that recommend the use of OWASP Top 10

Working materials

OWASP Top 10 2017 Release Candidate OWASP Top Ten Project


The release candidate for public comment was published 10 April 2017 and can be downloaded on the link provided in the Working Materials above.

This release of the OWASP Top 10 marks this project’s fourteenth year of raising awareness of the importance of application security risks. This release follows the 2013 update, whose main change was the addition of 2013-A9 Use of Known Vulnerable Components. We are pleased to see that since the 2013 Top 10 release, a whole ecosystem of both free and commercial tools have emerged to help combat this problem as the use of open source components has continued to rapidly expand across practically every programming language. The data also suggests the use of known vulnerable components is still prevalent, but not as widespread as before. We believe the awareness of this issue the Top 10 - 2013 generated has contributed to both of these changes.

We also noticed that since CSRF was introduced to the Top 10 in 2007, it has dropped from a widespread vulnerability to an uncommon one. Many frameworks include automatic CSRF defenses which has significantly contributed to its decline in prevalence, along with much higher awareness with developers that they must protect against such attacks.

For 2017, the OWASP Top 10 Most Critical Web Application Security Risks (in the Release Candidate) are: A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Broken Access Control (As it was in 2004) A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Insufficient Attack Protection (NEW) A8 Cross-Site Request Forgery (CSRF) A9 Using Components with Known Vulnerabilities A10 Underprotected APIs (NEW)