All this chatter doesn’t come as a surprise to me or others that have been long time participants in the application security space. I would argue that the relative constancy of the top 10 (or at least the top 5), can be interpreted in one of two ways. It's either an indicator of poor development practices or we’ve gotten better at finding the top 5 security issues. Depending on the day, I can fall on either side.
One of the more interesting aspects of the latest top 10 is what’s changed. The biggest (and depending on your involvement with the top 10 - the most controversial) is the introduction of A9, using components with known vulnerabilities. This seems like a no brainer, and some may argue that it is so basic that it doesn't even belong on the list. But the reality is most people are unaware they are using components with known vulnerabilities. Basic blocking and tackling is missing from many secure development initiatives - trust me, I’ve seen how this is rarely a focus.
This discussion around security basics reminds me of the guidance my son’s teacher gave his class during graduation day. My son, along with his 10 and 11 year classmates, were moving from grade school to middle school and his grade school teacher spoke to the parents and kids about the need for good hygiene as the children mature. He reminded us of something obvious, but something that can be easily forgotten or overlooked. This approach is like OWASP adding A9 to the security threat list - it’s easy to take basic principles for granted, and sometimes we just need to be reminded.
Just like you don't want to start your day without good hygiene - you shouldn't start your application journey based on a bad foundation. This illustrates the reason that I’m happy to see that something that something so basic (on the surface) is getting the attention it needs. Recognizing that vulnerable components should not be used is a good start to the security discussion. I am glad OWASP recognizes the need for basic hygiene.
Perhaps it's ironic that one of the world's well-known security lists for web-based vulnerabilities now includes language about not using suspect components. I would argue that not only is this one of the most important points on the list, but it's a consideration that everyone should know about. I consider this a foundational element to any secure application development initiative.
I can share many lessons from my last decade focused on application security, but one of the biggest lessons I’ve learned is that security professionals can have a tremendous influence on developers. And It’s not as difficult as you may think. It starts by delivering solutions that fit the "practice of the practitioner". What does this mean? It means that the tools that we deliver as security professionals fit within the existing developer ecosystem. Not only that, it means delivering the most needed functionality scaled in a way that allows the developers to use it effectively. Most security tools don't meet this requirement.
One of the benefits of working with Sonatype is that we understand modern software development, we aren't another security company building security tools for security people. Sonatype has a strong passion for both security and development and a mindset that ensures that organizations don't leave their house without brushing their teeth!
We are a security company that absolutely understands the importance of A9 and good hygiene - Do you?