Hyperguarding your Web Applications

OWASP Updates Top 10 List

Posted by hyperguard on April 19, 2010

Today, OWASP announced an updated list of the top 10 risks associated with the use of web applications in an enterprise.  This is the first time the list has been updated since 2007. The report explains these risks to software developers and managers to help organizations better secure their Web applications and services.

OWASP Top Ten List:

  • Injection
  • Cross-Site Scripting (XSS)
  • Broken Authentication and Session Management
  • Insecure Direct Object References
  • Cross-Site Request Forgery (CSRF)
  • Security Misconfiguration
  • Insecure Cryptographic Storage
  • Failure to Restrict URL Access
  • Insufficient Transport Layer Protection
  • Unvalidated Redirects and Forwards

Two risks were removed from the list—malicious file execution because it has become a less prevalent issue and information leakage and improper error handling because its impact is typically minimal.

Security misconfiguration and un-validated redirects and forwards are new to the list. Security misconfiguration was added because good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. According to OWASP, all these settings should be defined, implemented, and maintained as many are not shipped with secure defaults—this includes keeping all software up to date.

Un-validated redirects and forwards were added because Web applications frequently redirect and forward users to other pages and websites and use un-trusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites or use forwards to access unauthorized pages.

The report also includes how to assess the possibility that your Web application could be at risk and offers some mitigation tips. Download the full report here.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: