Top 10 2010-Release Notes

From OWASP
Revision as of 10:08, 22 April 2010 by Wichers (Talk | contribs)

Jump to: navigation, search
← Introduction
Top 10 Introduction
Top 10 Risks
Main →
What Changed From 2007 to 2010?

The threat landscape for Internet applications constantly changes. Key factors in this evolution are advances made by attackers, the release of new technology, as well as the deployment of increasingly complex systems. To keep pace, we periodically update the OWASP Top 10. In this 2010 release, we have made three significant changes:

  1. We clarified that the Top 10 is about the Top 10 Risks, not the Top 10 most common weaknesses. See the details on the “Application Security Risks” page below.
  2. We changed our ranking methodology to estimate risk, instead of relying solely on the frequency of the associated weakness. This has affected the ordering of the Top 10, as you can see in the table below.
  3. We replaced two items on the list with two new items:
  • ADDED: A6 – Security Misconfiguration. This issue was A10 in the Top 10 from 2004: Insecure Configuration Management, but was dropped in 2007 because it wasn’t considered to be a software issue. However, from an organizational risk and prevalence perspective, it clearly merits re-inclusion in the Top 10; so now it’s back.
  • ADDED: A10 – Unvalidated Redirects and Forwards. This issue is making its debut in the Top 10. The evidence shows that this relatively unknown issue is widespread and can cause significant damage.
  • REMOVED: A3 – Malicious File Execution. This is still a significant problem in many different environments. However, its prevalence in 2007 was inflated by large numbers of PHP applications having this problem. PHP now ships with a more secure configuration by default, lowering the prevalence of this problem.
  • REMOVED: A6 – Information Leakage and Improper Error Handling. This issue is extremely prevalent, but the impact of disclosing stack trace and error message information is typically minimal. With the addition of Security Misconfiguration this year, proper configuration of error handling is a big part of securely configuring your application and servers.


OWASP Top 10 - 2007 (Previous Version) OWASP Top 10 - 2010 (Current Version)
A2-Injection Flaws A1-Injection
A1-Cross Site Scripting (XSS) A2-Cross Site Scripting (XSS)
A7-Broken Authentication and Session Management A3-Broken Authentication and Session Management
A4-Insecure Direct Object Reference A4-Insecure Direct Object References
A5-Cross Site Request Forgery (CSRF) A5-Cross Site Request Forgery (CSRF)
(was T10 2004 A10 - Insecure Configuration Management) A6 Security Misconfiguration (NEW)
A8-Insecure Cryptographic Storage A7-Insecure Cryptographic Storage
A10-Failure to Restrict URL Access A8-Failure to Restrict URL Access
A9-Insecure Communications A9-Insufficient Transport Layer Protection
(not in 2007 Top 10) A10-Unvalidated Redirects and Forwards (NEW)
A3-Malicious File Execution <dropped from 2010 Top 10>
A6-Information Leakage and Improper Error Handling <dropped from 2010 Top 10>
← Introduction
Top 10 Introduction
Top 10 Risks
Main →

© 2002-2010 OWASP Foundation This document is licensed under the Creative Commons Attribution-ShareAlike 3.0 license. Some rights reserved. CC-by-sa-3 0-88x31.png