Many security teams use the OWASP Top 10 as a guideline to understand where they should focus their security strategies and cyberattack prevention efforts. The OWASP Top 10 originated in 2003 and has become a benchmark for compliance, education, and vendor tools. Although security teams consider the OWASP Top 10 the standard against which to begin secure development, it delivers infrequent updates only every four years. The OWASP Top 10 also lacks specificity to draw meaningful insights into organizations’ weakness patterns compared to their industry peers.
DevOps lifecycles are progressing more rapidly with new code released daily. If an industry standard is not updated regularly, it could mean delays in vulnerability discovery that may hinder development and security teams’ efforts. Although security managers hold the OWASP Top 10 in high regard by broad consensus, a four-year update cycle does not meet the need that most organizations require for security planning and development lifecycles.
OWASP and their Top 10 have evolved to focus more on helping developers build secure applications and work with security teams. After partnering with organizations like HackerOne and taking into consideration frequency, severity, and magnitude for the risk that these vulnerabilities introduce, OWASP recently released their new Top 10 for 2021 introducing three new categories: Insecure Design, Software, and Data Integrity Failures, and Server-Side Request Forgery (SSRF) attacks. The OWASP 2021 Top 10 goes beyond its ability to fit more CWEs into 10 bullets. Rather, this more comprehensive analysis of the data has resulted in less emphasis on individual vulnerabilities and more emphasis on broad security control areas.
How the HackerOne Global Top 10 Goes Further With Up-to-Date Data and Insights
The HackerOne Global Top 10 goes further than OWASP with more regular updates and the Industry Top 10 list, a subset of the Global Top 10, where customers can view top threats to their specific industry (e.g., Energy, Financials, Government & NGO, Healthcare and several others). With annual updates, the Global Top 10 is a valuable reference for guiding developers through common issues that make code insecure.
Hackers report real-world, exploitable vulnerabilities into HackerOne’s platform. This distinct dataset gives customers significant insight into the most impactful weaknesses found by hackers who use creativity, specialized skills, and years of expertise. These often higher, more critical, or creatively found vulnerabilities might not have surfaced in the OWASP Top 10.
HackerOne’s Three-Part Solution
HackerOne delivers the solution in three parts: ranking methodology, visualization, and data quality. Inspired by the methodology behind the CWE Top 25, The HackerOne Global Top 10 is ranked using a scoring formula accounting for the frequency of the CWE and the average severity assigned to that particular CWE .When a customer views their top weaknesses card in their HackerOne Program Overview Dashboard, they can see their top weaknesses ranked in the Global Top 10, if applicable, as a new column in the card.
CWE is one of the core, standard variables HackerOne uses to surface insights on weakness trends across our customer base. We improve data quality by allowing customers and security analysts to tag reports with a more detailed CWE classification. As our dataset continually becomes more granular, we will improve the value of the Global Top 10 with recurring updates and drive future insights that rely on CWE as a core factor.
As a result, organizations can prioritize mitigation of higher risk items first, reducing their exposure to a potentially devastating exploit that could compromise their data, disrupt operations, and damage organizations’ reputations and future viability. HackerOne offers valuable insights that would be otherwise unavailable and simplifies customer decision-making. Additionally, similar to the OWASP Top 10, customers will be able to incorporate the Global Top 10 into their pentest scope. We are making this a standard checklist option for customers running a pentest through HackerOne.
Global Top 10 Top Weaknesses in 2020
The Global Top 10 data is categorized in various ways, one is by top weaknesses ranked on average severity and report frequency, as shown in Figure 1 below.
Figure 1: HackerOne Global Top 10 top weaknesses ranked by severity and report frequency. ‘Change’ is reflected by the previous year, e.g., ‘Information Disclosure’ increased by two ranks compared to the year prior. ‘Your rank’ allows individual programs to view rank based on the number of vulnerabilities reported during the selected time period.
How the HackerOne Global Top 10 Can Help Security Teams
The HackerOne Global Top 10 offers practitioners and security teams data-driven guidelines for vulnerability assessment providing current rankings of security issues not readily available from other industry sources.
The Global Top 10 is a valuable resource and can help organizations prioritize reported vulnerabilities. Direct online integration with the HackerOne dashboard immediately determines the severity of an organization’s known vulnerabilities.
Contact your Customer Success Manager to access the HackerOne Global Top 10. New to HackerOne and want to learn more? Contact us here.