Very very informative video! It would make sense to have a top 10 if it was for the most common risks… I really am not sure why OWASP seems to be failing at one thing that is the most important of all: proper and clear communication
This is a very good articulation. Other than CVSS, EPSS provides a good view on actual exploitation probabilities. The Impact part is related to Exposure and Security Architecture. So CISA SSVC is a good model to use to determine actual criticality in any organization. SSVC requires internal teams to participate and cannot be handled only by external security testers.
When I first encountered the owasp top ten back in 2019, it was way more easier to follow but as they years wore on, it's either something changes or a new vuln takes precedence. It's just a lot to follow now.
Good I waited for you to finish because my 1st thought was - every 4 years?? Guess infosec world has changed so much in last 4 years I forgot when (frequency) the report is published. I am not a pro but simply an enthusiast yet I feel OWASP has gotten into the "survivor bias" problem, the WW2 research that watched the planes coming back from flights over Europe and wanting to put armor on places with most bullet holes in the fuselage. Missing the point that planes that had holes in other places didn't come back... frequency doesn't equal impact. Cheers.
Have to agree with this. It shakes my head, when I am trying to understand what are the top 10 critical things i should pentest/exploit first on a web app. The current OWASP top 10 is indeed confusing and ironic. It should focus and rank based on the likelihood of the exploitation of each category or vulnerability and the subsequent impact (quantifiable).
It's super confusing the way it's ordered now. Even if they keep the categorization, I don't think devs should be focused on cryptographic stuff as much as the top ten suggests they should be. 🤔
Hmm . Very well thinked . They definitely should adapt more complexed measurements. Especially in this rapid changing industry or make it atleast sooner 4 years its like a age in cyberspace .
I think the OWASP top ten has become so condensed to try and include as much as possible that it is no longer useful. Sometimes I have to sit and think about which of the top ten a vuln fits into because there is so much overlap.