原文連結：

https://sdtimes.com/app-development/owasp-releases-top-10-2017-security-risks/

今天在網上查查現在OWASP釋出的最新的WEB應用安全風險都有哪些，看到了這篇文章，翻譯後轉載一下。

The Open Web Application Security Project (OWASP) officially released its Top 10 most critical web application security risks. This is the first time the organization has updated the Top 10 since 2013.

OWASP正式釋出了其十大最關鍵的Web應用程式安全風險。這是該組織自2013年以來首次更新 Top 10的安全風險。

“Change has accelerated over the last four years, and the OWASP Top 10 needed to change. We’ve completely refactored the OWASP Top 10, revamped the methodology, utilized a new data call process, worked with the community, re-ordered our risks, rewritten each risk from the ground up, and added references to frameworks and languages that are now commonly used,” the OWASP 

“過去四年，變化加速，OWASP前10名需要改變。我們已經完全重構了OWASP Top 10，改進了方法，利用了新的資料呼叫過程，與社群合作，重新排序了我們的風險，從頭開始重寫每個風險，並添加了對現在普遍使用的框架和語言的引用，”OWASP在Top 10 2017中寫道。

According to the OWASP, some significant changes over the past couple of years that resulted in an update to the Top 10 include microservices, single page apps, and the dominance of JavaScript as a primary language on the web.

根據OWASP，在過去幾年中，一些重大的變化導致了對 Top 10安全風險排名的更新，包括微服務、單頁應用程式以及JavaScript作為主要語言在網路上的統治地位。

The Top 10 now consists of:

1. Injection
2. Broker Authentication
3. Sensitive Data Exposure
4. XML External Entities (XXE)
5. Broken Access Control
6. Security Misconfiguration
7. Cross-Site Script (XSS)
8. Insecure Deserialization
9. Using Components with Known Vulnerabilities
10. Insufficient Logging and Monitoring

XXE, insecure deserialization and insufficient logging and monitoring are new to the Top 10. Broken access control is a combination of 2013’s insecure direct object references and missing function level access control. In addition, the OWASP has removed unvalidated redirects and forwards, and cross-site request forgery from the Top 10.

XXE，不安全的反序列化（Insecure Deserialization）和日誌記錄和監視不足（Insufficient Logging and Monitoring）是前十名的新問題。中斷訪問控制（Broken Access Control）是2013年不安全的直接物件引用（Insecure Direct Object References）和缺失功能級訪問控制（Insecure Direct Object References）的組合。此外，OWASP還從前10名中刪除了未經驗證的重定向和轉發（Unvalidated Redirects and Forwards）以及跨站點請求偽造（XSS，Cross-Site Scripting）。

“Why have CSRF and unvalidated redirects and forwards been removed? It’s time to move on. The data for these is no longer strong enough to warrant inclusion, especially when we only have 8 data supported spots with our new methodology, and these two items didn’t rank in the community survey. This is actually a sign of success; the fact that CSRF is finally going away is a sign that the OWASP Top 10 has been successful at its mission,” the OWASP wrote in a blog post.

“為什麼CSRF和未驗證重定向和轉發被刪除？”該走了。這些資料不再足夠強大，不能保證被納入，尤其是當我們用新方法僅支援8個數據點的時候，而這兩個專案在社群調查中沒有排名。這實際上是成功的標誌；CSRF最終離去的事實是OWASP Top 10在其使命中成功的標誌，”OWASP在部落格中寫道。

The community survey, which received more than 500 responses, did agree on the inclusion insecure deserialization and insufficient logging and monitoring, according to the OWASP. “These two items were obviously top of mind for many this year considering the era of the mega breach is not slowing down,” the OWASP wrote.

根據OWASP，收到500多份回覆的社群調查確實就包括不安全的反序列化（Insecure Deserialization）和日誌記錄和監視不足（Insufficient Logging and Monitoring）達成一致。OWASP寫道：“考慮到大規模違約事件沒有減緩的時代，這兩項顯然在今年對許多人來說都是頭等大事。”

According to the OWASP, insecure deserialization leads to remote code execution, and insufficient logging and monitoring coupled with missing or weak integration results in hackers being able to attack systems and maintain persistence.

根據OWASP，不安全的反序列化（Insecure Deserialization）導致遠端程式碼執行，並且不足的日誌記錄和監視（Insufficient Logging and Monitoring）加上缺少或弱的整合導致黑客能夠攻擊系統和維護永續性。

XXE is a new category supported by data. “Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks,” the OWASP wrote.

XXE是一個由資料支援的新類別。“許多較老的或配置不良的XML處理器評估XML文件中的外部實體引用。外部實體可以用來使用檔案URI處理程式、內部檔案共享、內部埠掃描、遠端程式碼執行和拒絕服務攻擊來公開內部檔案，”OWASP寫道。

To defend against the Top 10, the OWASP believes developers need to establish and use repeatable processes and security controls, security testers need to establish continuous application security testing, application managers need to take charge of the full application lifecycle from an IT perspective, and the organization as a whole needs to have an application security program in place.

為了防範Top的安全風險，OWASP認為開發人員需要建立和使用可重複的過程和安全控制，安全測試人員需要建立連續的應用程式安全測試，應用程式經理需要從IT角度負責整個應用程式生命週期，而整個組織需要具備應用安全的程式。

“A great deal of feedback was received during the creation of the OWASP Top 10 – 2017, more than for any other equivalent OWASP effort. This shows how much passion the community has for the OWASP Top 10, and thus how critical it is for OWASP to get the Top 10 right for the majority of use cases,” the OWASP wrote.

“在建立OWASP Top 10–2017期間，收到了大量的反饋，比任何其他等效的OWASP工作都要多。這顯示了社群對OWASP前10名有多大的熱情，因此對於OWASP來說，在大多數用例中正確地獲得前10名是多麼關鍵，”OWASP寫道。

回顧：2013年 OWASP釋出的TOP 10 安全漏洞

漏洞分類，參考OWASP Top Ten (2013)

1. Injection
2. Broken Authentication and Session Management
3. Cross-Site Scripting (XSS)
4. Insecure Direct Object References
5. Security Misconfiguration
6. Sensitive Data Exposure
7. Missing Function Level Access Control
8. Cross-Site Request Forgery (CSRF)
9. Using Components with Known Vulnerabilities
10. Unvalidated Redirects and Forwards

（完）