Two new risks were added with OWASP 2017:
2017-A7: Insufficient Attack Protection: Detecting, responding to, and blocking attacks make applications dramatically harder to exploit yet almost no applications or APIs have such protection. Critical vulnerabilities in both custom code and components are also discovered all the time, yet organizations frequently take weeks or even months to roll out new defenses.
2017-A10: Underprotected APIs: Testing your APIs for vulnerabilities should be similar to testing the rest of your application for vulnerabilities. Different types of injection, authentication, access control, encryption, configuration & other issues can exist in APIs just as in a traditional application.
Two items were removed from OWASP 2017's top 10:
Cross-Site Request Forgeries (CSRFs) and Unvalidated Redirects and Forwards.
Two risks from the 2013 report merged:
(Insecure Direct Object References and Missing Function Level Access Control) were merged into a single risk: Broken Access Control.