Difference between revisions of "Top 10 2010"

From OWASP
Jump to: navigation, search
m
 
(15 intermediate revisions by 4 users not shown)
Line 1: Line 1:
{{Top_10_2010:TopTemplate|usenext=NextLink|next=-Broken Authentication and Session Management|useprev=PrevLink|prev=-Cross Site Request Forgery|usemain=MainLink|main=}}
+
{{Top_10_2010:TopTemplate|usenext=2010NextLink|next=Release Notes|useprev=Nothing|prev=}}
 +
=NOTE: THIS IS NOT THE LATEST VERSION=
  
{{Top_10_2010:SubsectionColoredTemplate|Forward|
+
Please visit the [[OWASP Top 10]] project page to find the latest edition.
 +
{{Top_10_2010:SubsectionColoredTemplate|Foreword|
 
Insecure software is already undermining our financial, healthcare, defense, energy, and other critical infrastructure. As our digital infrastructure gets increasingly complex and interconnected, the difficulty of achieving application security increases exponentially. We can no longer afford to tolerate relatively simple security problems like those presented in the OWASP Top 10.
 
Insecure software is already undermining our financial, healthcare, defense, energy, and other critical infrastructure. As our digital infrastructure gets increasingly complex and interconnected, the difficulty of achieving application security increases exponentially. We can no longer afford to tolerate relatively simple security problems like those presented in the OWASP Top 10.
  
The goal of the Top 10 project is to raise awareness about application security by identifying some of the most critical risks facing organizations. The Top 10 project is referenced by many standards, books, tools, and organizations, including MITRE, PCI DSS, DISA, FTC, and [http://www.owasp.org/index.php/Industry:Citations many more]. This release of the OWASP Top 10 marks this project’s eighth year of raising awareness of the importance of application security risks. The OWASP Top 10 was first released in 2003, minor updates were made in 2004 and 2007, and this is the 2010 release.
+
The goal of the Top 10 project is to raise awareness about application security by identifying some of the most critical risks facing organizations. The Top 10 project is referenced by many standards, books, tools, and organizations, including MITRE, PCI DSS, DISA, FTC, and [[Industry:Citations | many more]]. This release of the OWASP Top 10 marks this project’s eighth year of raising awareness of the importance of application security risks. The OWASP Top 10 was first released in 2003, minor updates were made in 2004 and 2007, and this is the 2010 release.
  
 
We encourage you to use the Top 10 to get your organization started with application security. Developers can learn from the mistakes of other organizations. Executives should start thinking about how to manage the risk that software applications create in their enterprise.  
 
We encourage you to use the Top 10 to get your organization started with application security. Developers can learn from the mistakes of other organizations. Executives should start thinking about how to manage the risk that software applications create in their enterprise.  
Line 10: Line 12:
 
But the Top 10 is not an application security program. Going forward, OWASP recommends that organizations establish a strong foundation of training, standards, and tools that makes secure coding possible. On top of that foundation, organizations should integrate security into their development, verification, and maintenance processes. Management can use the data generated by these activities to manage cost and risk associated with application security.
 
But the Top 10 is not an application security program. Going forward, OWASP recommends that organizations establish a strong foundation of training, standards, and tools that makes secure coding possible. On top of that foundation, organizations should integrate security into their development, verification, and maintenance processes. Management can use the data generated by these activities to manage cost and risk associated with application security.
  
We hope that the OWASP Top 10 is useful to your application security efforts. Please don’t hesitate to contact OWASP with your questions, comments, and ideas, either publicly to [mailto:OWASP-TopTen@lists.owasp.org OWASP-TopTen@lists.owasp.org]or privately to [mailto:dave.wichers@owasp.org dave.wichers@owasp.org].}}  
+
We hope that the OWASP Top 10 is useful to your application security efforts. Please don’t hesitate to contact OWASP with your questions, comments, and ideas, either publicly to [mailto:OWASP-TopTen@lists.owasp.org OWASP-TopTen@lists.owasp.org] or privately to [mailto:dave.wichers@owasp.org dave.wichers@owasp.org].}}  
 
{{Top_10_2010:SubsectionColoredTemplate|Welcome|
 
{{Top_10_2010:SubsectionColoredTemplate|Welcome|
Welcome to the OWASP Top 10 2010!  This significant update presents a more concise, risk focused list of the Top 10 Most Critical Web Application Security Risks. The OWASP Top 10 has always been about risk, but this update makes this much more clear than previous editions. It also provides additional information on how to assess these risks for your applications.
+
Welcome to the OWASP Top 10 2010!  This significant update presents a more concise, risk focused list of the '''Top 10 Most Critical Web Application Security Risks'''. The OWASP Top 10 has always been about risk, but this update makes this much more clear than previous editions. It also provides additional information on how to assess these risks for your applications.
  
 
For each item in the top 10, this release discusses the general likelihood and consequence factors that are used to categorize the typical severity of the risk. It then presents guidance on how to verify whether you have problems in this area, how to avoid them, some example flaws, and pointers to links with more information.
 
For each item in the top 10, this release discusses the general likelihood and consequence factors that are used to categorize the typical severity of the risk. It then presents guidance on how to verify whether you have problems in this area, how to avoid them, some example flaws, and pointers to links with more information.
  
 
The primary aim of the OWASP Top 10 is to educate developers, designers, architects, managers, and organizations about the consequences of the most important web application security weaknesses. The Top 10 provides basic techniques to protect against these high risk problem areas – and also provides guidance on where to go from here.}}  
 
The primary aim of the OWASP Top 10 is to educate developers, designers, architects, managers, and organizations about the consequences of the most important web application security weaknesses. The Top 10 provides basic techniques to protect against these high risk problem areas – and also provides guidance on where to go from here.}}  
{{Top_10_2010:SubsectionColoredTemplate|Warnings|
+
{{Top_10_2010:SubsectionColoredTemplate|Warnings|}}
Don’t stop at 10. There are hundreds of issues that could affect the overall security of a web application as discussed in the OWASP Developer’s Guide. This is essential reading for anyone developing web applications today. Guidance on how to effectively find vulnerabilities in web applications are provided in the OWASP Testing Guide and OWASP Code Review Guide, which have both been significantly updated since the previous release of the OWASP Top 10.
+
'''Don’t stop at 10'''. There are hundreds of issues that could affect the overall security of a web application as discussed in the [[Guide | OWASP Developer's Guide]]. This is essential reading for anyone developing web applications today. Guidance on how to effectively find vulnerabilities in web applications are provided in the [[:Category:OWASP_Testing_Project | OWASP Testing Guide]] and the [[:Category:OWASP_Code_Review_Project | OWASP Code Review Guide]], which have both been significantly updated since the previous release of the OWASP Top 10.
  
Constant change. This Top 10 will continue to change. Even without changing a single line of your application’s code, you may already be vulnerable to something nobody ever thought of before. Please review the advice at the end of the Top 10 in “What’s Next For Developers, Verifiers, and Organizations” for more information.
+
'''Constant change'''. This Top 10 will continue to change. Even without changing a single line of your application’s code, you may already be vulnerable to something nobody ever thought of before. Please review the advice at the end of the Top 10 in “What’s Next For Developers, Verifiers, and Organizations” for more information.
  
Think positive. When you’re ready to stop chasing vulnerabilities and focus on establishing strong application security controls, OWASP has just produced the Application Security Verification Standard (ASVS) as a guide to organizations and application reviewers on what to verify.
+
'''Think positive'''. When you’re ready to stop chasing vulnerabilities and focus on establishing strong application security controls, OWASP has just produced the [[ASVS | Application Security Verification Standard (ASVS)]] as a guide to organizations and application reviewers on what to verify.
 
Use tools wisely. Security vulnerabilities can be quite complex and buried in mountains of code. In virtually all cases, the most cost-effective approach for finding and eliminating these weaknesses is human experts armed with good tools.
 
Use tools wisely. Security vulnerabilities can be quite complex and buried in mountains of code. In virtually all cases, the most cost-effective approach for finding and eliminating these weaknesses is human experts armed with good tools.
  
Push left. Secure web applications are only possible when a secure software development lifecycle is used. For guidance on how to implement a secure SDLC, we recently released the Open Software Assurance Maturity Model (SAMM), which is a major update to the OWASP CLASP Project.}}
+
'''Push left'''. Secure web applications are only possible when a secure software development life-cycle is used. For guidance on how to implement a secure SDLC, we recently released the [[:Category:Software_Assurance_Maturity_Model | Open Software Assurance Maturity Model (SAMM)]], which is a major update to the [[:Category:OWASP_CLASP_Project | OWASP CLASP Project]].
  
 
{{Top_10_2010:SubsectionColoredTemplate|The Pages of the Top 10|}}
 
{{Top_10_2010:SubsectionColoredTemplate|The Pages of the Top 10|}}
 
<div style="font-size: 150%; font-weight: bold;">
 
<div style="font-size: 150%; font-weight: bold;">
* [[Top 10 2010-Main|The 2010 Top 10]]
+
* [[Top 10 2010-Release Notes|Release Notes]]
 +
* [[Top 10 2010-Main|The OWASP 2010 Top 10]]
 
* [[Top_10_2010-What's_Next_For_Developers|What's Next for Developers]]
 
* [[Top_10_2010-What's_Next_For_Developers|What's Next for Developers]]
 
* [[Top_10_2010-What's_Next_For_Verifiers|What's Next for Verifiers]]
 
* [[Top_10_2010-What's_Next_For_Verifiers|What's Next for Verifiers]]
Line 38: Line 41:
  
  
{{Top_10_2010:SubsectionColoredTemplate|Acknowledgments|
+
{{Top_10_2010:SubsectionColoredTemplate|Acknowledgments|}}
Thanks to Aspect Security for initiating, leading, and updating the OWASP Top 10 since its inception in 2003, and to its primary authors: Jeff Williams and Dave Wichers.  
+
Thanks to [http://www.aspectsecurity.com Aspect Security] for initiating, leading, and updating the OWASP Top 10 since its inception in 2002, and to its primary authors:<BR>
 +
 
 +
* [[User:Jeff Williams|Jeff Williams]]
 +
* [[User:wichers|Dave Wichers]]
 +
 
 +
{{MemberLinks|link=http://www.aspectsecurity.com|logo=Aspect_logo_owasp.jpg}}
  
 
We’d like to thank those organizations that contributed their vulnerability prevalence data to support the 2010 update:  
 
We’d like to thank those organizations that contributed their vulnerability prevalence data to support the 2010 update:  
  
*Aspect Security  
+
* [http://www.aspectsecurity.com Aspect Security]
*MITRE – CVE  
+
* [http://www.mitre.org MITRE] [http://cve.mitre.org CVE]
*Softtek  
+
* [http://www.softtek.com Softtek]
*White Hat Security – Statistics
+
* [http://www.whitehatsec.com WhiteHat Security Inc.] [http://www.whitehatsec.com/home/resource/stats.html Statistics]
  
 
We’d also like to thank those who have contributed significant content or time reviewing this update of the Top 10:  
 
We’d also like to thank those who have contributed significant content or time reviewing this update of the Top 10:  
 
*Mike Boberski (Booz Allen Hamilton)  
 
*Mike Boberski (Booz Allen Hamilton)  
*Juan Carlos Calderon (Softtek)
+
*Juan Carlos Calderon ([http://www.softtek.com Softtek])
 
*Michael Coates (Aspect Security)  
 
*Michael Coates (Aspect Security)  
*Jeremiah Grossman (White Hat Security Inc.)  
+
*Jeremiah Grossman (WhiteHat Security Inc.)  
 
*Jim Manico (for all the Top 10 podcasts)  
 
*Jim Manico (for all the Top 10 podcasts)  
 
*Paul Petefish (Solutionary, Inc.)
 
*Paul Petefish (Solutionary, Inc.)
*Eric Sheridan (Aspect Security)  
+
*Eric Sheridan ([http://www.aspectsecurity.com Aspect Security])  
 
*Neil Smithline ([http://www.OneStopAppSecurity.com OneStopAppSecurity.com])  
 
*Neil Smithline ([http://www.OneStopAppSecurity.com OneStopAppSecurity.com])  
 
*Andrew van der Stock  
 
*Andrew van der Stock  
Line 61: Line 69:
 
*OWASP Denmark Chapter (Led by Ulf Munkedal)  
 
*OWASP Denmark Chapter (Led by Ulf Munkedal)  
 
*OWASP Sweden Chapter (Led by John Wilander)
 
*OWASP Sweden Chapter (Led by John Wilander)
}}
 
  
<br> <br> {{Top_10_2010:BottomTemplate|usenext=NextLink|next=-Broken Authentication and Session Management|useprev=PrevLink|prev=-Cross Site Request Forgery|usemain=MainLink|main=}}
+
{{Top_10_2010:BottomTemplate|usenext=2010NextLink|next=Release Notes|useprev=Nothing|prev=}}
 +
[[Category:OWASP Top Ten Project]]

Latest revision as of 16:20, 3 July 2013

 
Top 10 Introduction
Top 10 Risks
Release Notes →

NOTE: THIS IS NOT THE LATEST VERSION

Please visit the OWASP Top 10 project page to find the latest edition.

Foreword

Insecure software is already undermining our financial, healthcare, defense, energy, and other critical infrastructure. As our digital infrastructure gets increasingly complex and interconnected, the difficulty of achieving application security increases exponentially. We can no longer afford to tolerate relatively simple security problems like those presented in the OWASP Top 10.

The goal of the Top 10 project is to raise awareness about application security by identifying some of the most critical risks facing organizations. The Top 10 project is referenced by many standards, books, tools, and organizations, including MITRE, PCI DSS, DISA, FTC, and many more. This release of the OWASP Top 10 marks this project’s eighth year of raising awareness of the importance of application security risks. The OWASP Top 10 was first released in 2003, minor updates were made in 2004 and 2007, and this is the 2010 release.

We encourage you to use the Top 10 to get your organization started with application security. Developers can learn from the mistakes of other organizations. Executives should start thinking about how to manage the risk that software applications create in their enterprise.

But the Top 10 is not an application security program. Going forward, OWASP recommends that organizations establish a strong foundation of training, standards, and tools that makes secure coding possible. On top of that foundation, organizations should integrate security into their development, verification, and maintenance processes. Management can use the data generated by these activities to manage cost and risk associated with application security.

We hope that the OWASP Top 10 is useful to your application security efforts. Please don’t hesitate to contact OWASP with your questions, comments, and ideas, either publicly to OWASP-TopTen@lists.owasp.org or privately to dave.wichers@owasp.org.

Welcome

Welcome to the OWASP Top 10 2010! This significant update presents a more concise, risk focused list of the Top 10 Most Critical Web Application Security Risks. The OWASP Top 10 has always been about risk, but this update makes this much more clear than previous editions. It also provides additional information on how to assess these risks for your applications.

For each item in the top 10, this release discusses the general likelihood and consequence factors that are used to categorize the typical severity of the risk. It then presents guidance on how to verify whether you have problems in this area, how to avoid them, some example flaws, and pointers to links with more information.

The primary aim of the OWASP Top 10 is to educate developers, designers, architects, managers, and organizations about the consequences of the most important web application security weaknesses. The Top 10 provides basic techniques to protect against these high risk problem areas – and also provides guidance on where to go from here.

Warnings

Don’t stop at 10. There are hundreds of issues that could affect the overall security of a web application as discussed in the OWASP Developer's Guide. This is essential reading for anyone developing web applications today. Guidance on how to effectively find vulnerabilities in web applications are provided in the OWASP Testing Guide and the OWASP Code Review Guide, which have both been significantly updated since the previous release of the OWASP Top 10.

Constant change. This Top 10 will continue to change. Even without changing a single line of your application’s code, you may already be vulnerable to something nobody ever thought of before. Please review the advice at the end of the Top 10 in “What’s Next For Developers, Verifiers, and Organizations” for more information.

Think positive. When you’re ready to stop chasing vulnerabilities and focus on establishing strong application security controls, OWASP has just produced the Application Security Verification Standard (ASVS) as a guide to organizations and application reviewers on what to verify. Use tools wisely. Security vulnerabilities can be quite complex and buried in mountains of code. In virtually all cases, the most cost-effective approach for finding and eliminating these weaknesses is human experts armed with good tools.

Push left. Secure web applications are only possible when a secure software development life-cycle is used. For guidance on how to implement a secure SDLC, we recently released the Open Software Assurance Maturity Model (SAMM), which is a major update to the OWASP CLASP Project.

The Pages of the Top 10


Acknowledgments

Thanks to Aspect Security for initiating, leading, and updating the OWASP Top 10 since its inception in 2002, and to its primary authors:

Aspect_logo_owasp.jpg       

We’d like to thank those organizations that contributed their vulnerability prevalence data to support the 2010 update:

We’d also like to thank those who have contributed significant content or time reviewing this update of the Top 10:

  • Mike Boberski (Booz Allen Hamilton)
  • Juan Carlos Calderon (Softtek)
  • Michael Coates (Aspect Security)
  • Jeremiah Grossman (WhiteHat Security Inc.)
  • Jim Manico (for all the Top 10 podcasts)
  • Paul Petefish (Solutionary, Inc.)
  • Eric Sheridan (Aspect Security)
  • Neil Smithline (OneStopAppSecurity.com)
  • Andrew van der Stock
  • Colin Watson (Watson Hall, Ltd.)
  • OWASP Denmark Chapter (Led by Ulf Munkedal)
  • OWASP Sweden Chapter (Led by John Wilander)


 
Top 10 Introduction
Top 10 Risks
Release Notes →

© 2002-2010 OWASP Foundation This document is licensed under the Creative Commons Attribution-ShareAlike 3.0 license. Some rights reserved. CC-by-sa-3 0-88x31.png