The OWASP Top Ten - 2010 has just been released (see here, here, here, here, here, here, here, ...). The document, from the Open Web Application Security Project, is aimed at developers and describes the 10 most critical web application security risks, and since it is referenced by the Payment Card Industry Security Standards Council (PCI SCC) Data Security Standard (DSS), this now has an immediate compliance effect on organisations with web-enabled payment systems.
OWASP Top Ten - 2010 (mirror site) was issued as a release candidate (RC) in November 2009 at OWASP's Washington DC AppSec Conference. This Top Ten has assessed and ranked the risks based on technical impact—the document points out that each organisation needs to assess its own threats and where possible determine not just the technical impact, but the business impact, and recommends the Risk Rating Methodology from the OWASP Testing Guide.
Since November, there has been a wide-ranging discussion of the ranking and advice provided, and this has lead to some minor changes to the final document. I contributed to the OWASP Top Ten Project as a document reviewer. But now the Top Ten for 2010 is issued. As the document points out, this is only the first ten risks, and they may be different for an organisation's own information systems and business processes.
OWASP recognises the titles are not all risks (e.g. some are names of vulnerabilities) but this has been done to use the most commonly recognisable terminology. Each item in the Top Ten includes a description, how the risk can occur, how to detect if your application is vulnerable, example attack scenarios, how to prevent exploitation and detailed references for further information from a wide-range of sources. Of particular help are the various OWASP Cheat Sheets:
- SQL Injection Prevention Cheat Sheet
- XSS (Cross Site Scripting) Prevention Cheat Sheet
- Authentication Cheat Sheet
- Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet
- Transport Layer Protection Cheat Sheet
For those who want to go beyond the Top Ten, the document provides guidance for developers, verifiers and organisations about what they can do next. It encourages organisations to consider an application risk management program, not just awareness training, application testing and remediation. It is a great starting point for developers with less knowledge about application security and is now also a handy reference for more-experienced teams. For example, the November RC1 version was used as the basis for over three hours of discussion on web application security at last Friday's OWASP London Free Training event.
The 2010 edition supersedes the previous 2007 edition. It is distributed under a Creative Commons (CC) Attribution Share-Alike licence and can be downloaded for free from the OWASP website or purchased as a printed book, at cost. The screen captures above are subject to this licence.
Posted on: 19 April 2010 at 16:01 hrs