OWASP 2013 Top 10 Announced
The great folks at Open Web Application Security Project (OWASP) have released the 2013 edition of the Top 10 Project. The Top 10 Project is list of security threats to web applications that is created using an open risk based methodology. OWASP publishes the Top 10 in order to raise awareness about application security and the threats organizations face. The Top 10 Project may sound familiar to you as it is referenced in many standards, books, tools such as MITRE, PCI DSS, DISA, and FTC to name a few.
OWASP works to reach out to developers, not just the application security community. The idea is to try to prevent the risk early on in the application development cycle when often the cost is relatively inexpensive to fix. The Top 10 is about managing risk, not just avoiding vulnerabilities. To mange is to reduce or remove the risk and is the only successful path to a more secure system. In order to successfully manage these risks, organizations need an application risk management program, not just awareness training, app testing, and remediation.
What made it to this year’s list?
A2 Broken Authentication and Session Management
A3 Cross-Site Scripting (XSS)
A4 Insecure Direct Object References
A5 Security Misconfiguration
A6 Sensitive Data Exposure
A7 Missing Function Level Access Control
A8 Cross-Site Request Forgery (CSRF)
A9 Using Components with Known Vulnerabilities
A10 Unvalidated Redirects and Forwards