The latest release of OWASP's Top Ten application security awareness document, detailing the most critical web application security risks, was announced on 12th June.
The document is intended to be an introduction to application security risks for developers, and is freely available as a PDF and on wiki pages in English. Translations into other languages will follow as volunteers have time. It will also shortly be available as a printed booklet, available to buy at cost. The 2013 edition is:
- A1 Injection
- A2 Broken Authentication and Session Management
- A3 Cross-Site Scripting (XSS)
- A4 Insecure Direct Object References
- A5 Security Misconfiguration
- A6 Sensitive Data Exposure
- A7 Missing Function Level Access Control
- A8 Cross-Site Request Forgery (CSRF)
- A9 Using Known Vulnerable Components
- A10 Unvalidated Redirects and Forwards
Comparing with the previous edition in 2010, there is some minor re-ordering. Otherwise "Insecure Cryptographic Storage" and "Insufficient Transport Layer Protection" have been merged into the new A6 "Sensitive Data Exposure", and "Failure to Restrict URL Access " has been broadened to A7 "Missing Function Level Access Control". Finally the new "Using Known Vulnerable Components", used to be within "Security Misconfiguration" but has been separated into a standalone named risk.
For further analysis I recommend Breaking Down the OWASP Top 10 Security Flaws for 2013 and New OWASP Top 10 Reflects Unchanged State Of Web Security.
If you reference the OWASP Top Ten, now is the time to update. The risks identified are an important first step in moving to developing secure software code. Beyond this, read the sections for developers, testers and organisations at the end of the document, but I would also recommend this pair of related documents:
Posted on: 25 June 2013 at 11:00 hrs