OWASP Updates Top 10 List
Posted by hyperguard on April 19, 2010
Today, OWASP announced an updated list of the top 10 risks associated with the use of web applications in an enterprise. This is the first time the list has been updated since 2007. The report explains these risks to software developers and managers to help organizations better secure their Web applications and services.
OWASP Top Ten List:
- Cross-Site Scripting (XSS)
- Broken Authentication and Session Management
- Insecure Direct Object References
- Cross-Site Request Forgery (CSRF)
- Security Misconfiguration
- Insecure Cryptographic Storage
- Failure to Restrict URL Access
- Insufficient Transport Layer Protection
- Unvalidated Redirects and Forwards
Two risks were removed from the list—malicious file execution because it has become a less prevalent issue and information leakage and improper error handling because its impact is typically minimal.
Security misconfiguration and un-validated redirects and forwards are new to the list. Security misconfiguration was added because good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. According to OWASP, all these settings should be defined, implemented, and maintained as many are not shipped with secure defaults—this includes keeping all software up to date.
Un-validated redirects and forwards were added because Web applications frequently redirect and forward users to other pages and websites and use un-trusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites or use forwards to access unauthorized pages.