Difference between revisions of "Top 10 2013"

From OWASP
Jump to: navigation, search
m (Fixed minor typos.)
 
(14 intermediate revisions by 2 users not shown)
Line 1: Line 1:
<!-- SEE BOTTOM OF FILE FOR PORTING THIS T10 TO A NEW YEAR -->
+
{{Top_10_2013:TopTemplate
{{Top_10_2013:TopTemplate|usenext=2013NextLink|next=Release Notes|useprev=Nothing|prev=}}
+
  |usenext=2013NextLink
{{Top_10_2010:SubsectionColoredTemplate|Foreword|
+
  |next={{Top_10:LanguageFile|text=introduction|language=en|year=2013|language=en}}
Insecure software is already undermining our financial, healthcare, defense, energy, and other critical infrastructure. As our digital infrastructure gets increasingly complex and interconnected, the difficulty of achieving application security increases exponentially. We can no longer afford to tolerate relatively simple security problems like those presented in the OWASP Top 10.
+
  |useprev=Nothing
 +
  |prev=
 +
  |year=2013
 +
  |language=en
 +
}}
  
The goal of the Top 10 project is to raise awareness about application security by identifying some of the most critical risks facing organizations. The Top 10 project is referenced by many standards, books, tools, and organizations, including MITRE, PCI DSS, DISA, FTC, and [[Industry:Citations | many more]]. This release of the OWASP Top 10 marks this project’s eighth year of raising awareness of the importance of application security risks. The OWASP Top 10 was first released in 2003, minor updates were made in 2004 and 2007, and this is the 2010 release.
+
{{Top_10:SubsectionTableBeginTemplate|type=main}}{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=freetext|position=firstLeft|title={{Top_10:LanguageFile|text=foreword}}|year=2013|language=en}}
 +
Insecure software is undermining our financial, healthcare,
 +
defense, energy, and other critical infrastructure. As our
 +
digital infrastructure gets increasingly complex and
 +
interconnected, the difficulty of achieving application
 +
security increases exponentially. We can no longer afford to
 +
tolerate relatively simple security problems like those
 +
presented in this OWASP Top 10.
  
We encourage you to use the Top 10 to get your organization started with application security. Developers can learn from the mistakes of other organizations. Executives should start thinking about how to manage the risk that software applications create in their enterprise.  
+
The goal of the Top 10 project is to raise awareness about
 +
application security by identifying some of the most critical
 +
risks facing organizations. The Top 10 project is referenced
 +
by many standards, books, tools, and organizations, including
 +
MITRE, PCI DSS, DISA, FTC, and [[Industry:Citations|many more]]. This release of
 +
the OWASP Top 10 marks this project’s tenth anniversary of
 +
raising awareness of the importance of application security
 +
risks. The OWASP Top 10 was first released in 2003, with
 +
minor updates in 2004 and 2007. The 2010 version was
 +
revamped to prioritize by risk, not just prevalence. This 2013
 +
edition follows the same approach.
  
But the Top 10 is not an application security program. Going forward, OWASP recommends that organizations establish a strong foundation of training, standards, and tools that makes secure coding possible. On top of that foundation, organizations should integrate security into their development, verification, and maintenance processes. Management can use the data generated by these activities to manage cost and risk associated with application security.
+
We encourage you to use the Top 10 to get your organization
 +
started with application security. Developers can learn from
 +
the mistakes of other organizations. Executives should start
 +
thinking about how to manage the risk that software
 +
applications create in their enterprise.
  
We hope that the OWASP Top 10 is useful to your application security efforts. Please don’t hesitate to contact OWASP with your questions, comments, and ideas, either publicly to [mailto:OWASP-TopTen@lists.owasp.org OWASP-TopTen@lists.owasp.org] or privately to [mailto:dave.wichers@owasp.org dave.wichers@owasp.org].}}
+
In the long term, we encourage you to create an application
{{Top_10_2010:SubsectionColoredTemplate|Welcome|
+
security program that is compatible with your culture and
Welcome to the OWASP Top 10 2010!  This significant update presents a more concise, risk focused list of the '''Top 10 Most Critical Web Application Security Risks'''. The OWASP Top 10 has always been about risk, but this update makes this much more clear than previous editions. It also provides additional information on how to assess these risks for your applications.
+
technology. These programs come in all shapes and sizes,
 +
and you should avoid attempting to do everything prescribed
 +
by some process model. Instead, leverage your
 +
organization’s existing strengths to do and measure what
 +
works for you.
  
For each item in the top 10, this release discusses the general likelihood and consequence factors that are used to categorize the typical severity of the risk. It then presents guidance on how to verify whether you have problems in this area, how to avoid them, some example flaws, and pointers to links with more information.
+
We hope that the OWASP Top 10 is useful to your application
 +
security efforts. Please don’t hesitate to contact OWASP with
 +
your questions, comments, and ideas, either publicly to
 +
[mailto:owasp-topten@lists.owasp.org  owasp-topten@lists.owasp.org] or privately to [mailto:dave.wichers@owasp.org dave.wichers@owasp.org].  
  
The primary aim of the OWASP Top 10 is to educate developers, designers, architects, managers, and organizations about the consequences of the most important web application security weaknesses. The Top 10 provides basic techniques to protect against these high risk problem areas – and also provides guidance on where to go from here.}}
 
{{Top_10_2010:SubsectionColoredTemplate|Warnings|}}
 
'''Don’t stop at 10'''. There are hundreds of issues that could affect the overall security of a web application as discussed in the [[Guide | OWASP Developer's Guide]]. This is essential reading for anyone developing web applications today. Guidance on how to effectively find vulnerabilities in web applications are provided in the [[:Category:OWASP_Testing_Project | OWASP Testing Guide]] and the [[:Category:OWASP_Code_Review_Project | OWASP Code Review Guide]], which have both been significantly updated since the previous release of the OWASP Top 10.
 
  
'''Constant change'''. This Top 10 will continue to change. Even without changing a single line of your application’s code, you may already be vulnerable to something nobody ever thought of before. Please review the advice at the end of the Top 10 in “What’s Next For Developers, Verifiers, and Organizations” for more information.
+
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=freetext|position=right|title={{Top_10:LanguageFile|text=aboutOWASP}}|year=2013|language=en}}
  
'''Think positive'''. When you’re ready to stop chasing vulnerabilities and focus on establishing strong application security controls, OWASP has just produced the [[ASVS | Application Security Verification Standard (ASVS)]] as a guide to organizations and application reviewers on what to verify.
+
The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. At OWASP you’ll find free and open …
Use tools wisely. Security vulnerabilities can be quite complex and buried in mountains of code. In virtually all cases, the most cost-effective approach for finding and eliminating these weaknesses is human experts armed with good tools.
+
  
'''Push left'''. Secure web applications are only possible when a secure software development life-cycle is used. For guidance on how to implement a secure SDLC, we recently released the [[:Category:Software_Assurance_Maturity_Model | Open Software Assurance Maturity Model (SAMM)]], which is a major update to the [[:Category:OWASP_CLASP_Project | OWASP CLASP Project]].
+
* Application security tools and standards
 +
* Complete books on application security testing, secure code development, and secure code review
 +
* Standard security controls and libraries
 +
* [https://www.owasp.org/index.php/Category:OWASP_Chapter  Local chapters worldwide]
 +
* Cutting edge research
 +
* [https://www.owasp.org/index.php/Category:OWASP_AppSec_Conference  Extensive conferences worldwide]
 +
* Mailing lists
  
{{Top_10_2010:SubsectionColoredTemplate|The Pages of the Top 10|}}
+
Learn more at: [https://www.owasp.org/  https://www.owasp.org]
<div style="font-size: 150%; font-weight: bold;">
+
* [[Top 10 2010-Release Notes|Release Notes]]
+
* [[Top 10 2010-Main|The OWASP 2010 Top 10]]
+
* [[Top_10_2010-What's_Next_For_Developers|What's Next for Developers]]
+
* [[Top_10_2010-What's_Next_For_Verifiers|What's Next for Verifiers]]
+
* [[Top_10_2010-What's_Next_For_Organizations|What's Next for Organizations]]
+
* [[Top_10_2010-Notes About Risk|Notes About Risk]]
+
* [[Top_10_2010-Details_About_Risk_Factors|Details About Risk Factors]]
+
</div>
+
  
 +
All of the OWASP tools, documents, forums, and chapters are
 +
free and open to anyone interested in improving application
 +
security. We advocate approaching application security as a
 +
people, process, and technology problem, because the most
 +
effective approaches to application security require
 +
improvements in all of these areas.
  
{{Top_10_2010:SubsectionColoredTemplate|Acknowledgments|}}
+
OWASP is a new kind of organization. Our freedom from
Thanks to [http://www.aspectsecurity.com Aspect Security] for initiating, leading, and updating the OWASP Top 10 since its inception in 2002, and to its primary authors:<BR>
+
commercial pressures allows us to provide unbiased, practical,
 +
cost-effective information about application security. OWASP
 +
is not affiliated with any technology company, although we
 +
support the informed use of commercial security technology.
 +
Similar to many open source software projects, OWASP
 +
produces many types of materials in a collaborative, open way.
  
* [[User:Jeff Williams|Jeff Williams]]
+
The OWASP Foundation is the non-profit entity that ensures
* [[User:wichers|Dave Wichers]]
+
the project’s long-term success. Almost everyone associated
 +
with OWASP is a volunteer, including the OWASP Board,
 +
Global Committees, Chapter Leaders, Project Leaders, and
 +
project members. We support innovative security research
 +
with grants and infrastructure.
  
[http://www.aspectsecurity.com https://www.owasp.org/images/d/d1/Aspect_logo.gif]
 
  
We’d like to thank those organizations that contributed their vulnerability prevalence data to support the 2010 update:
+
Come join us!
 
+
</td></tr></table>
* [http://www.aspectsecurity.com Aspect Security]
+
{{Top_10_2013:BottomTemplate
* [http://www.mitre.org MITRE] – [http://cve.mitre.org CVE]
+
  |usenext=2013NextLink
* [http://www.softtek.com Softtek]
+
  |next={{Top_10:LanguageFile|text=introduction|language=en|year=2013|language=en}}
* [http://www.whitehatsec.com WhiteHat Security Inc.] – [http://www.whitehatsec.com/home/resource/stats.html Statistics]
+
  |useprev=Nothing
 
+
  |prev=
We’d also like to thank those who have contributed significant content or time reviewing this update of the Top 10:
+
  |year=2013
*Mike Boberski (Booz Allen Hamilton)
+
  |language=en
*Juan Carlos Calderon ([http://www.softtek.com Softtek])
+
}}
*Michael Coates (Aspect Security)
+
*Jeremiah Grossman (WhiteHat Security Inc.)
+
*Jim Manico (for all the Top 10 podcasts)
+
*Paul Petefish (Solutionary, Inc.)
+
*Eric Sheridan ([http://www.aspectsecurity.com Aspect Security])
+
*Neil Smithline ([http://www.OneStopAppSecurity.com OneStopAppSecurity.com])
+
*Andrew van der Stock
+
*Colin Watson (Watson Hall, Ltd.)
+
*OWASP Denmark Chapter (Led by Ulf Munkedal)
+
*OWASP Sweden Chapter (Led by John Wilander)
+
 
+
{{Top_10_2013:BottomTemplate|usenext=2013NextLink|next=Release Notes|useprev=Nothing|prev=}}
+
 
[[Category:OWASP Top Ten Project]]
 
[[Category:OWASP Top Ten Project]]
 
<!-----------------------------------------------------------
 
  Moving this T10 to a new year. Moving from 2013 to
 
  2016 is used as an example.
 
  -----------------------------------------------------------
 
1) There are 5 templates that are 2013 specific:
 
  - Template:2013NextLink
 
  - Template:2013PrevLink
 
  - Template:2013CenterLink
 
  - Template:Top 10 2013:BottomTemplate
 
  - Template:Top 10 2013:TopTemplate
 
 
Create new versions of each of these templates. An alternative is to paramatize the existing 2013 templates. That would likely be better but I'm not Wiki-savvy enough to do it and, as it's only 5 simple templates, I'm not motivated to fix it. If you modify the existing templates, be sure that the default is for the year 2013 or you will break the 2013 T10 Wiki.
 
 
2) Create the 2013 pages for the introductory and concluding material. DO NOT DO THIS FOR THE 10 RISK PAGES!
 
 
3) For each of the 10 risk pages, create a new page that has the risk number but not the risk name. For example, https://www.owasp.org/index.php/Top_10_2016-A3. Do not create the pages with the risk names on them (eg: https://www.owasp.org/index.php/Top_10_2013-A3-My-Risk).
 
 
4) Copy the content from the edit tab of each page of the 2013 T10 to the corresponding 2016 T10. That should move these instructions along with the rest of the T10.
 
 
5) For each page of the 2016 T10, change all of the 2013's in the source to 2016's.
 
 
6) Remove 2013 content and replace it with 2016. If the formatting has changed between 2013 and 2016 you will need to change the formatting as well.
 
 
7) Use the Wiki's move page to move each of the risk pages (eg: https://www.owasp.org/index.php/Top_10_2016-A3) to their final location (eg: https://www.owasp.org/index.php/Top_10_2016-A3-My-Risk). This step is done to allow either easy URL lookup just by the risk ID or complete URL look by the risk ID and risk name.
 
 
8) If needed, update these instructions.
 
 
9) Congratulate yourself!
 
 
  -----------------------------------------------------------
 
  End of instructions
 
  ------------------------------------------------------- -->
 

Latest revision as of 07:44, 4 July 2013

 
2013 Table of Contents

2013 Top 10 List

Introduction →
Foreword

Insecure software is undermining our financial, healthcare, defense, energy, and other critical infrastructure. As our digital infrastructure gets increasingly complex and interconnected, the difficulty of achieving application security increases exponentially. We can no longer afford to tolerate relatively simple security problems like those presented in this OWASP Top 10.

The goal of the Top 10 project is to raise awareness about application security by identifying some of the most critical risks facing organizations. The Top 10 project is referenced by many standards, books, tools, and organizations, including MITRE, PCI DSS, DISA, FTC, and many more. This release of the OWASP Top 10 marks this project’s tenth anniversary of raising awareness of the importance of application security risks. The OWASP Top 10 was first released in 2003, with minor updates in 2004 and 2007. The 2010 version was revamped to prioritize by risk, not just prevalence. This 2013 edition follows the same approach.

We encourage you to use the Top 10 to get your organization started with application security. Developers can learn from the mistakes of other organizations. Executives should start thinking about how to manage the risk that software applications create in their enterprise.

In the long term, we encourage you to create an application security program that is compatible with your culture and technology. These programs come in all shapes and sizes, and you should avoid attempting to do everything prescribed by some process model. Instead, leverage your organization’s existing strengths to do and measure what works for you.

We hope that the OWASP Top 10 is useful to your application security efforts. Please don’t hesitate to contact OWASP with your questions, comments, and ideas, either publicly to owasp-topten@lists.owasp.org or privately to dave.wichers@owasp.org.


About OWASP

The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. At OWASP you’ll find free and open …

Learn more at: https://www.owasp.org

All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security. We advocate approaching application security as a people, process, and technology problem, because the most effective approaches to application security require improvements in all of these areas.

OWASP is a new kind of organization. Our freedom from commercial pressures allows us to provide unbiased, practical, cost-effective information about application security. OWASP is not affiliated with any technology company, although we support the informed use of commercial security technology. Similar to many open source software projects, OWASP produces many types of materials in a collaborative, open way.

The OWASP Foundation is the non-profit entity that ensures the project’s long-term success. Almost everyone associated with OWASP is a volunteer, including the OWASP Board, Global Committees, Chapter Leaders, Project Leaders, and project members. We support innovative security research with grants and infrastructure.


Come join us!

 
2013 Table of Contents

2013 Top 10 List

Introduction →

© 2002-2013 OWASP Foundation This document is licensed under the Creative Commons Attribution-ShareAlike 3.0 license. Some rights reserved. CC-by-sa-3 0-88x31.png