The
Open Web Application Security Project (OWASP) Top Ten has been a great source of information for security testing over the years that we've used it at Recommended Test Labs. They last published their list in 2007 (and 2004 before that). As stated at their web site:
The OWASP Top Ten provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. There are currently versions in English, French, Japanese, Korean and Turkish. A Spanish version is in the works. We urge all companies to adopt this awareness document within their organization and start the process of ensuring that their web applications do not contain these flaws. Adopting the OWASP Top Ten is perhaps the most effective first step towards changing the software development culture within your organization into one that produces secure code.
As of Nov 13, 2009, the 2010 list has been released for comment through Dec 31,2009. The document is available at
http://www.owasp.org/index.php/File:OWASP_T10_-_2010_rc1.pdf. Within that document, you will find the following Top 10 Risks:
- A1 –Injection
- A2 –Cross Site Scripting (XSS)
- A3 –Broken Authentication and Session Management
- A4 –Insecure Direct Object References
- A5 –Cross Site Request Forgery (Cross site request forgery)
- A6 –Security Misconfiguration(NEW for 2010)
- A7 –Failure to Restrict URL Access
- A8 –Unvalidated Redirects and Forwards (NEW for 2010)
- A9 –Insecure Cryptographic Storage
- A10 -Insufficient Transport Layer Protection
Below is a video that covers the Top 10 list from 2007:
0 comments. Add Comment.:
Post a Comment