Earlier, regarding this year's Top 10:
I remember pwning php-nuke sites with SQL injection more than a decade ago. At least as far as that dumpster fire (php nuke) goes there are 2021-dated CVEs for SQL injection so clearly at least some people aren't making headway.
I wonder if anyone publishes a broad survey of CVE categories akin to tfa.
Broken access control becoming the number one issue is no surprise. We have faced this so many times when building enterprise SaaS software and having to go through ISO certifications.
We believe re-invention of the access control wheel causes these problems at every software company because there is no good standards to start from. With Cerbos we try to address this issue in the market.
We wrote about this issue and how we can help solve it in our blog few weeks ago. https://cerbos.dev/blog/broken-access-control-is-the-1-issue...
(I'm cofounder/CTO at Oso).
Though obviously there is still some shared responsibility and it's no panacea - but has had a noticeable impact on the ordering of the OWASP list.
With SSR, we only need to limit rendered information and we're fine. Now we need to limit the json (or xml if soap) response. If we need a condition based on protected data, we need to have additional, derived (computed) property for it and there isn't a standard way to do it, then make the view to condition based on that derived value.
That process is too alluring to be skipped and many choose to just breach the security and deal with them later, unless you have different team managing front and back.
My personal and current recommendation for developers is to focus on sane authorisation models - I commonly see direct-object type vulnerabilities related to cross-user/organisational access where the user is the correct role / privilege level to access a resource, but has no association with the record owner. An example of this would be a a multi-tenant web-store where an admin for the EvilCorp entity can modify products belonging to InnocentPtyLtd.
I also suspect poorly configured CORS policies might be in the top 10 in a few years time due to situations where SPA apps (who will inevitably use JWT) and traditional cookie apps are hosted using similar configs, resulting in the latter being vulnerable to CSRF-type attacks.
With cloud platforms rising in popularity, the top two rising to those spots is not surprising. From a cursory glance, they seem to have added more scenarios under those two as well.
This is probably why access control is number 1.
SAML and MFA should be available for all plans. Secure access should not be gated just to the expensive plans.
Disclaimer: I was involved in the design of the MFA and SAML integration UX for saas pass.
I'm not saying you're wrong, and agree that security should never be a 'premium' product, but it's important to identify that it isn't _just_ limited to authentication.
That being said, messing with SAML/Oauth assertions is generally pretty fruitful when pentesting, and MFA is something I'd recommend in almost all public facing applications.
However i dont think that shows up as vulns. Even if you use saml you still have to implement it, and its an absolutely terrible protocol full of ways to shoot yourself in the foot and do it wrong.
