19 April 2010

OWASP Top Ten 2010 Makes Business Sense

The OWASP Top Ten - 2010 has just been released (see here, here, here, here, here, here, here, ...). The document, from the Open Web Application Security Project, is aimed at developers and describes the 10 most critical web application security risks, and since it is referenced by the Payment Card Industry Security Standards Council (PCI SCC) Data Security Standard (DSS), this now has an immediate compliance effect on organisations with web-enabled payment systems.

Part of the cover from the OWASP Top 10 - 2010 showing part of the OWASP logo and the words 'OWASP Top 1- 2010, The Ten Most Critical Web Application Risks

OWASP Top Ten - 2010 (mirror site) was issued as a release candidate (RC) in November 2009 at OWASP's Washington DC AppSec Conference. This Top Ten has assessed and ranked the risks based on technical impact—the document points out that each organisation needs to assess its own threats and where possible determine not just the technical impact, but the business impact, and recommends the Risk Rating Methodology from the OWASP Testing Guide.

Partial view of the business risk diagram from the OWASP Top 10 - 2010 showing how the path from threats, through vulnerabilities and, inadequate controls affect assets and have technical and business impacts

Since November, there has been a wide-ranging discussion of the ranking and advice provided, and this has lead to some minor changes to the final document. I contributed to the OWASP Top Ten Project as a document reviewer. But now the Top Ten for 2010 is issued. As the document points out, this is only the first ten risks, and they may be different for an organisation's own information systems and business processes.

Partial view of the top ten list from the OWASP Top 10 which are: A1 Injection, A2 Cross-Site Scripting (XSS), A3 Broken Authentication and Session Management, A4 Insecure Direct Object References, A5 Cross-Site Request Forgery (CSRF), A6 Security Misconfiguration, A7 Insecure Cryptographic Storage, A8 Failure to Restrict URL Access, A9 Insufficient Transport Layer Protection, and A10 Unvalidated Redirects and Forwards

OWASP recognises the titles are not all risks (e.g. some are names of vulnerabilities) but this has been done to use the most commonly recognisable terminology. Each item in the Top Ten includes a description, how the risk can occur, how to detect if your application is vulnerable, example attack scenarios, how to prevent exploitation and detailed references for further information from a wide-range of sources. Of particular help are the various OWASP Cheat Sheets:

For those who want to go beyond the Top Ten, the document provides guidance for developers, verifiers and organisations about what they can do next. It encourages organisations to consider an application risk management program, not just awareness training, application testing and remediation. It is a great starting point for developers with less knowledge about application security and is now also a handy reference for more-experienced teams. For example, the November RC1 version was used as the basis for over three hours of discussion on web application security at last Friday's OWASP London Free Training event.

The 2010 edition supersedes the previous 2007 edition. It is distributed under a Creative Commons (CC) Attribution Share-Alike licence and can be downloaded for free from the OWASP website or purchased as a printed book, at cost. The screen captures above are subject to this licence.

Posted on: 19 April 2010 at 16:01 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter


Comments are filtered automatically and should appear shortly after they been checked.

Post a comment
Confirm acceptance and understanding of the terms of use
New posts to this thread will be sent to your email address
OWASP Top Ten 2010 Makes Business Sense
ISO/IEC 18004:2006 QR code for https://clerkendweller.uk

Page https://www.clerkendweller.uk/2010/4/19/OWASP-Top-Ten-2010-Makes-Business-Sense
Requested by on Monday, 30 November 2015 at 22:22 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use https://www.clerkendweller.uk/page/terms
Privacy statement https://www.clerkendweller.uk/page/privacy
© 2010-2015 clerkendweller.uk