David Explains the OWASP Top Ten
While writing WordPress Security with Confidence last year, I spent a lot of time waiting for the latest revision of the OWASP Top Ten, the 2017 version. They ended up taking too much too long to publish, and I made the course focusing on the 2013 version, which was the most-recent-finalized iteration at the time the course went live. I don’t regret that choice, but I wanted to make sure I was well acquainted with the 2017 iteration.
So, I wrote all about the 2017 OWASP Top 10 List on Thoughtful Code. The post weighed in at 3000 words, and even then I didn’t begin to give the list its due. It’s an impressive project and a welcome one to boot. I think it’s important that as WordPress professionals we keep the whole list in mind. But the most important for the WordPress ecosystem remains #9:
A9:2017 – Using Components with Known Vulnerabilities
As someone who knows a lot about WordPress security, this one has a fond place in my heart. It’s almost certainly the most common cause of compromise in WordPress, because so many end-users don’t understand the importance of updating all their components.
The basic logic and protection here is not complicated, but the position of this list has not changed because people are lazy and the tools are generally not super good. npm’s recent inclusion of an audit tool is a step in the right direction. But generally, just update everything whenever you can. And when you can’t update regular, check on the security content of new updates in your dependency graph.
Read the whole post though! I know you’ll learn something 🤓