Top 10 2010

Don’t stop at 10. There are hundreds of issues that could affect the overall security of a web application as discussed in the OWASP Developer's Guide. This is essential reading for anyone developing web applications today. Guidance on how to effectively find vulnerabilities in web applications are provided in the OWASP Testing Guide and the  OWASP Code Review Guide, which have both been significantly updated since the previous release of the OWASP Top 10.

Constant change. This Top 10 will continue to change. Even without changing a single line of your application’s code, you may already be vulnerable to something nobody ever thought of before. Please review the advice at the end of the Top 10 in “What’s Next For Developers, Verifiers, and Organizations” for more information.

Think positive. When you’re ready to stop chasing vulnerabilities and focus on establishing strong application security controls, OWASP has just produced the Application Security Verification Standard (ASVS) as a guide to organizations and application reviewers on what to verify. Use tools wisely. Security vulnerabilities can be quite complex and buried in mountains of code. In virtually all cases, the most cost-effective approach for finding and eliminating these weaknesses is human experts armed with good tools.

Push left. Secure web applications are only possible when a secure software development life-cycle is used. For guidance on how to implement a secure SDLC, we recently released the Open Software Assurance Maturity Model (SAMM), which is a major update to the  OWASP CLASP Project.


 * Release Notes
 * The OWASP 2010 Top 10
 * What's Next for Developers
 * What's Next for Verifiers
 * What's Next for Organizations
 * Notes About Risk
 * Details About Risk Factors

Thanks to Aspect Security for initiating, leading, and updating the OWASP Top 10 since its inception in 2002, and to its primary authors:


 * Jeff Williams
 * Dave Wichers

We’d like to thank those organizations that contributed their vulnerability prevalence data to support the 2010 update:


 * Aspect Security
 * MITRE – CVE
 * Softtek
 * WhiteHat Security Inc. – Statistics

We’d also like to thank those who have contributed significant content or time reviewing this update of the Top 10:
 * Mike Boberski (Booz Allen Hamilton)
 * Juan Carlos Calderon (Softtek)
 * Michael Coates (Aspect Security)
 * Jeremiah Grossman (WhiteHat Security Inc.)
 * Jim Manico (for all the Top 10 podcasts)
 * Paul Petefish (Solutionary, Inc.)
 * Eric Sheridan (Aspect Security)
 * Neil Smithline (OneStopAppSecurity.com)
 * Andrew van der Stock
 * Colin Watson (Watson Hall, Ltd.)
 * OWASP Denmark Chapter (Led by Ulf Munkedal)
 * OWASP Sweden Chapter (Led by John Wilander)