Deb Radcliff interviews OWASP Top Ten core team member Brian Glas.
What do the OWASP Top Ten web application vulnerabilities have to do with C languages? And where do those vulnerabilities coincide with Software Bills of Materials (SBOMs)?
As the Top Ten core team begins analyzing the 2025 data, we pose these questions to Brian Glas, one of four Top Ten core team members responsible for the report. He’s personally been on the team for the 2017, 2021, and soon, the 2025 Top Ten list. Brian is also a core team member for the OWASP Software Assurance and Maturity Model (SAMM), a community-led open-source framework to improve security across the SDLC. In his day job, he chairs the Department of Computer Science at Union University, based in Jackson Tennessee, where he’s also an assistant professor.
Link to video here.
C Crossover
“While focused on web applications, there is still overlap with applications developed in C language,” he says during our interview. He adds that the C languages find their way into web apps, often through open source.
For example, he points out findings among the OWASP data that are tied to memory management vulnerabilities, such as various forms of buffer overflows (stack-based, heap-based, etc.)
“While not all contributors to the report tested C-based applications, four of our thirteen contributors did test for these C-related vulnerabilities. That’s how memory management errors made it to number twelve in 2021. “Number two on our list, out of bounds write, and number six, out of bounds read, both apply to C languages,” Glas explains.
To that end, he recommends using SAST tooling to hunt for the use of wrong functions, particularly memory-unsafe functions, and fuzzing to test the bounds and the limits of what code “is capable of doing,” he says, adding, “When I was working at Microsoft for their Office software products, we were using fuzzing twenty-four by seven.”
SBOMs Relevant to Entire Top Ten
In terms of the Top Ten’s relationship to SBOMs, Glas points out how pretty much all the vulnerabilities on the list fall under the realm of SAST and SBOMs, due to the prevalence of third-party code used in most applications. In addition to that, he also talks about the need to scan for and reduce dependencies, also supported through SBOMs.
Going Forward With 2025 Results
Tune in for Brian’s expert advice as he shares the cool story of how the Top Ten are derived and when to expect the 2025 Top Ten list to be published. Even though they all have day jobs, the core team analyzing the data and writing the report feels the weight of responsibility to get that data right. “The top 10, for better or worse, drives entire industries from training to tooling. We take this incredibly seriously.”
Resources:
Get involved with and learn more about the OWASP Top Ten.
CWE 829 Inclusion of Functionality from Untrusted Control Sphere
E494 Downloading of Code Without Integrity Check
How do the OWASP Top Ten Align with C and C++ Languages, a CodeSecure whitepaper
