A draft of the next edition of the OWASP Top 10 is available for review and comment.
OWASP Top 10 - 2013 Release Candidate includes some changes to the current 2010 edition:
- A1 Injection
- A2 Broken Authentication and Session Management (was formerly A3)
- A3 Cross-Site Scripting (XSS) (was formerly A2)
- A4 Insecure Direct Object References
- A5 Security Misconfiguration (was formerly A6)
- A6 Sensitive Data Exposure (merged from former A7 Insecure Cryptographic Storage and former A9 Insufficient Transport Layer Protection)
- A7 Missing Function Level Access Control (renamed/broadened from former A8 Failure to Restrict URL Access)
- A8 Cross-Site Request Forgery (CSRF) (was formerly A5)
- A9 Using Known Vulnerable Components (new but was part of former A6 – Security Misconfiguration)
- A10 Unvalidated Redirects and Forwards
OWASP plans to issue the final public release of the OWASP Top 10 - 2013 in April or May after a public comment period ending 30th March 2013. The alternative methods for submitting comments are described on the first page of the draft document. There are discussions already on the OWASP Top Ten Project's mailing list.
Posted on: 15 February 2013 at 18:30 hrs