Commentary OWASP Top Ten 2004 Project
J. Howard Beales, III
- Director of the Federal Trade Commission's Bureau of Consumer Protection
- Before the Information Technology Association of America's Internet Policy Committee, Friday, December 12, 2003
"With new vulnerabilities announced almost weekly, many businesses may feel overwhelmed trying to keep current. But there is help in the form of consensus lists of vulnerabilities and defenses. The Open Web Application Security Project has produced a similar list of the 10 most critical Web application and databases security vulnerabilities and the most effective ways to address them. Application vulnerabilities are often neglected, but they are as important to deal with as network issues. If every company eliminated these common vulnerabilities, their work wouldn't be done, but they, and the Internet, would be significantly safer."
Eugene H. Spafford
- Professor of Computer Sciences, Purdue University
- Executive Director of the Purdue University Center for Education and Research in Information Assurance and Security (CERIAS)
"Misconfiguration, inattention, and flawed software can spell disaster on the Internet. One of the primary areas of vulnerability is through WWW connections. By design, WWW services are intended to be open and accepting, and usually act as an interface to valuable resources. As such, it is critical that these services be secured. But with hundreds of potential vulnerabilities it can be overly daunting to decide where to start applying defensive measures. The OWASP Top 10 provides a consensus view of the most significant and likely vulnerabilities in custom WWW applications. Organizations should use it to focus their efforts, giving them confidence they are addressing those areas that will have the most impact on securing their applications."
Dr. Peter G. Neumann
- Principal Scientist, SRI International Computer Science Lab
- Moderator of the ACM Risks Forum, Author of "Computer-Related Risks"
"This ‘Ten-Most-Wanting’ List acutely scratches at the tip of an enormous iceberg. The underlying reality is shameful: most system and Web application software is written oblivious to security principles, software engineering, operational implications, and indeed common sense."