Difference between revisions of "Top 10 2013"

From OWASP
Jump to: navigation, search
m (deleted some <cr>s)
m (Fixed minor typos.)
 
(5 intermediate revisions by 2 users not shown)
Line 8: Line 8:
 
}}
 
}}
  
{{Top_10:SubsectionTableBeginTemplate|type=main}}{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=freetext|position=firstLeft|title={{Top_10:LanguageFile|text=forward}}|year=2013|language=en}}
+
{{Top_10:SubsectionTableBeginTemplate|type=main}}{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=freetext|position=firstLeft|title={{Top_10:LanguageFile|text=foreword}}|year=2013|language=en}}
Insecure software is undermining our financial, healthcare, defense, energy, and other critical infrastructure. As our digital infrastructure gets increasingly complex and interconnected, the difficulty of achieving application security increases exponentially. We can no longer afford to tolerate relatively simple security problems like those presented in this OWASP Top 10.
+
Insecure software is undermining our financial, healthcare,
 +
defense, energy, and other critical infrastructure. As our
 +
digital infrastructure gets increasingly complex and
 +
interconnected, the difficulty of achieving application
 +
security increases exponentially. We can no longer afford to
 +
tolerate relatively simple security problems like those
 +
presented in this OWASP Top 10.
  
The goal of the Top 10 project is to raise awareness about application security by identifying some of the most critical risks facing organizations. The Top 10 project is referenced by many standards, books, tools, and organizations, including MITRE, PCI DSS, DISA, FTC, and [https://www.owasp.org/index.php/Industry:Citations many more]. This release of the OWASP Top 10 marks this project’s tenth anniversary of raising awareness of the importance of application security risks. The OWASP Top 10 was first released in 2003, with minor updates in 2004 and 2007. The 2010 version was revamped to prioritize by risk, not just prevalence. This 2013 edition follows the same approach.
+
The goal of the Top 10 project is to raise awareness about
 +
application security by identifying some of the most critical
 +
risks facing organizations. The Top 10 project is referenced
 +
by many standards, books, tools, and organizations, including
 +
MITRE, PCI DSS, DISA, FTC, and [[Industry:Citations|many more]]. This release of
 +
the OWASP Top 10 marks this project’s tenth anniversary of
 +
raising awareness of the importance of application security
 +
risks. The OWASP Top 10 was first released in 2003, with
 +
minor updates in 2004 and 2007. The 2010 version was
 +
revamped to prioritize by risk, not just prevalence. This 2013
 +
edition follows the same approach.
  
We encourage you to use the Top 10 to get your organization started with application security. Developers can learn from the mistakes of other organizations. Executives should start thinking about how to manage the risk that software applications create in their enterprise.  
+
We encourage you to use the Top 10 to get your organization
 +
started with application security. Developers can learn from
 +
the mistakes of other organizations. Executives should start
 +
thinking about how to manage the risk that software
 +
applications create in their enterprise.
  
In the long term, we encourage you to create an application security program that is compatible with your culture and technology. These programs come in all shapes and sizes, and you should avoid attempting to do everything prescribed by some process model. Instead, leverage your organization’s existing strengths to do and measure what works for you.
+
In the long term, we encourage you to create an application
 +
security program that is compatible with your culture and
 +
technology. These programs come in all shapes and sizes,
 +
and you should avoid attempting to do everything prescribed
 +
by some process model. Instead, leverage your
 +
organization’s existing strengths to do and measure what
 +
works for you.
  
We hope that the OWASP Top 10 is useful to your application security efforts. Please don’t hesitate to contact OWASP with your questions, comments, and ideas, either publicly to [mailto:owasp-topten@lists.owasp.org  owasp-topten@lists.owasp.org] or privately to [dave.wichers@owasp.org dave.wichers@owasp.org].  
+
We hope that the OWASP Top 10 is useful to your application
 +
security efforts. Please don’t hesitate to contact OWASP with
 +
your questions, comments, and ideas, either publicly to
 +
[mailto:owasp-topten@lists.owasp.org  owasp-topten@lists.owasp.org] or privately to [mailto:dave.wichers@owasp.org dave.wichers@owasp.org].  
  
  
Line 24: Line 53:
 
The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted.  At OWASP you’ll find free and open …
 
The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted.  At OWASP you’ll find free and open …
  
Application security tools and standards
+
* Application security tools and standards
Complete books on application security testing, secure code development, and secure code review
+
* Complete books on application security testing, secure code development, and secure code review
Standard security controls and libraries
+
* Standard security controls and libraries
[https://www.owasp.org/index.php/Category:OWASP_Chapter  Local chapters worldwide]
+
* [https://www.owasp.org/index.php/Category:OWASP_Chapter  Local chapters worldwide]
Cutting edge research
+
* Cutting edge research
[https://www.owasp.org/index.php/Category:OWASP_AppSec_Conference  Extensive conferences worldwide]
+
* [https://www.owasp.org/index.php/Category:OWASP_AppSec_Conference  Extensive conferences worldwide]
Mailing lists
+
* Mailing lists
  
 
Learn more at: [https://www.owasp.org/  https://www.owasp.org]   
 
Learn more at: [https://www.owasp.org/  https://www.owasp.org]   
  
All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security. We advocate approaching application security as a people, process, and technology problem, because the most effective approaches to application security require improvements in all of these areas.
+
All of the OWASP tools, documents, forums, and chapters are
 +
free and open to anyone interested in improving application
 +
security. We advocate approaching application security as a
 +
people, process, and technology problem, because the most
 +
effective approaches to application security require
 +
improvements in all of these areas.
  
OWASP is a new kind of organization. Our freedom from commercial pressures allows us to provide unbiased, practical, cost-effective information about application security. OWASP is not affiliated with any technology company, although we support the informed use of commercial security technology. Similar to many open source software projects, OWASP produces many types of materials in a collaborative, open way.
+
OWASP is a new kind of organization. Our freedom from
 +
commercial pressures allows us to provide unbiased, practical,
 +
cost-effective information about application security. OWASP
 +
is not affiliated with any technology company, although we
 +
support the informed use of commercial security technology.
 +
Similar to many open source software projects, OWASP
 +
produces many types of materials in a collaborative, open way.
 +
 
 +
The OWASP Foundation is the non-profit entity that ensures
 +
the project’s long-term success. Almost everyone associated
 +
with OWASP is a volunteer, including the OWASP Board,
 +
Global Committees, Chapter Leaders, Project Leaders, and
 +
project members. We support innovative security research
 +
with grants and infrastructure.
  
The OWASP Foundation is the non-profit entity that ensures the project’s long-term success. Almost everyone associated with OWASP is a volunteer, including the OWASP Board, Global Committees, Chapter Leaders, Project Leaders, and project members. We support innovative security research with grants and infrastructure.
 
  
 
Come join us!
 
Come join us!

Latest revision as of 07:44, 4 July 2013

 
2013 Table of Contents

2013 Top 10 List

Introduction →
Foreword

Insecure software is undermining our financial, healthcare, defense, energy, and other critical infrastructure. As our digital infrastructure gets increasingly complex and interconnected, the difficulty of achieving application security increases exponentially. We can no longer afford to tolerate relatively simple security problems like those presented in this OWASP Top 10.

The goal of the Top 10 project is to raise awareness about application security by identifying some of the most critical risks facing organizations. The Top 10 project is referenced by many standards, books, tools, and organizations, including MITRE, PCI DSS, DISA, FTC, and many more. This release of the OWASP Top 10 marks this project’s tenth anniversary of raising awareness of the importance of application security risks. The OWASP Top 10 was first released in 2003, with minor updates in 2004 and 2007. The 2010 version was revamped to prioritize by risk, not just prevalence. This 2013 edition follows the same approach.

We encourage you to use the Top 10 to get your organization started with application security. Developers can learn from the mistakes of other organizations. Executives should start thinking about how to manage the risk that software applications create in their enterprise.

In the long term, we encourage you to create an application security program that is compatible with your culture and technology. These programs come in all shapes and sizes, and you should avoid attempting to do everything prescribed by some process model. Instead, leverage your organization’s existing strengths to do and measure what works for you.

We hope that the OWASP Top 10 is useful to your application security efforts. Please don’t hesitate to contact OWASP with your questions, comments, and ideas, either publicly to owasp-topten@lists.owasp.org or privately to dave.wichers@owasp.org.


About OWASP

The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. At OWASP you’ll find free and open …

Learn more at: https://www.owasp.org

All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security. We advocate approaching application security as a people, process, and technology problem, because the most effective approaches to application security require improvements in all of these areas.

OWASP is a new kind of organization. Our freedom from commercial pressures allows us to provide unbiased, practical, cost-effective information about application security. OWASP is not affiliated with any technology company, although we support the informed use of commercial security technology. Similar to many open source software projects, OWASP produces many types of materials in a collaborative, open way.

The OWASP Foundation is the non-profit entity that ensures the project’s long-term success. Almost everyone associated with OWASP is a volunteer, including the OWASP Board, Global Committees, Chapter Leaders, Project Leaders, and project members. We support innovative security research with grants and infrastructure.


Come join us!

 
2013 Table of Contents

2013 Top 10 List

Introduction →

© 2002-2013 OWASP Foundation This document is licensed under the Creative Commons Attribution-ShareAlike 3.0 license. Some rights reserved. CC-by-sa-3 0-88x31.png