Difference between revisions of "Top 10 2013-Release Notes"

From OWASP
Jump to: navigation, search
(Created page with "= TEMPORARY PLACEHOLDER for 2013 T10 = {{Top_10_2013:TopTemplate|usenext=2013NextLink|useprev=2013PrevLink|prev=Introduction|next=Main}} {{Top_10_2010:SubsectionColoredTempla...")
 
m (Removed typo.)
 
(16 intermediate revisions by 2 users not shown)
Line 1: Line 1:
= TEMPORARY PLACEHOLDER for 2013 T10 =
+
{{Top_10_2013:TopTemplate
{{Top_10_2013:TopTemplate|usenext=2013NextLink|useprev=2013PrevLink|prev=Introduction|next=Main}}
+
    |usenext=2013NextLink
{{Top_10_2010:SubsectionColoredTemplate|What Changed From 2007 to 2010?|}}
+
    |next={{Top_10:LanguageFile|text=risk|year=2013|language=en}}
The threat landscape for Internet applications constantly changes. Key factors in this evolution are advances made by attackers, the release of new technology, as well as the deployment of increasingly complex systems. To keep pace, we periodically update the OWASP Top 10. In this 2010 release, we have made three significant changes:
+
    |useprev=2013PrevLink
# We clarified that the Top 10 is about the Top 10 Risks, not the Top 10 most common weaknesses. See the details on the “Application Security Risks” page below.
+
    |prev={{Top_10:LanguageFile|text=introduction|year=2013|language=en}}
# We changed our ranking methodology to estimate risk, instead of relying solely on the frequency of the associated weakness. This has affected the ordering of the Top 10, as you can see in the table below.
+
    |year=2013
# We replaced two items on the list with two new items:
+
    |language=en
<div style="margin-left: 50px;">
+
}}
* ADDED: A6 – Security Misconfiguration. This issue was A10 in the Top 10 from 2004: Insecure Configuration Management, but was dropped in 2007 because it wasn’t considered to be a software issue. However, from an organizational risk and prevalence perspective, it clearly merits re-inclusion in the Top 10; so now it’s back.
+
* ADDED: A10 – Unvalidated Redirects and Forwards. This issue is making its debut in the Top 10. The evidence shows that this relatively unknown issue is widespread and can cause significant damage.
+
* REMOVED: A3 – Malicious File Execution. This is still a significant problem in many different environments. However, its prevalence in 2007 was inflated by large numbers of PHP applications having this problem. PHP now ships with a more secure configuration by default, lowering the prevalence of this problem.
+
* REMOVED: A6 – Information Leakage and Improper Error Handling. This issue is extremely prevalent, but the impact of disclosing stack trace and error message information is typically minimal. With the addition of Security Misconfiguration this year, proper configuration of error handling is a big part of securely configuring your application and servers.</div>
+
  
 +
{{Top_10:SubsectionTableBeginTemplate|type=main}}{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=freetext|position=firstWhole|title={{Top_10:LanguageFile|text=whatChangedFrom2010to2013|year=2013|language=en}}|width=100%|year=2013|language=en}}
 +
The threat landscape for applications security constantly changes. Key factors in this evolution are advances made by attackers, the release of new technologies with new weaknesses as well as more built in defenses, and the deployment of increasingly complex systems. To keep pace, we periodically update the OWASP Top 10. In this 2013 release, we made the following changes:
 +
<ol>
 +
<li>Broken Authentication and Session Management moved up in prevalence based on our data set. Probably because this area is being looked at harder, not because issues are actually more prevalent. This caused Risks A2 and A3 to switch places.</li>
 +
<li>Cross-Site Request Forgery (CSRF) moved down in prevalence based on our data set from 2010-A5 to 2013-A8. We believe this is because CSRF has been in the OWASP Top 10 for 6 years, and organizations and framework developers have focused on it enough to significantly reduce the number of CSRF vulnerabilities in real world applications.</li>
 +
<li>We broadened Failure to Restrict URL Access from the 2010 OWASP Top 10 to be more inclusive:
 +
<p style="padding-left: 2em; text-indent: -2em;">
 +
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;2010-A8: Failure to Restrict URL Access is now <u>2013-A7: Missing Function Level Access Control</u> – to cover all of function level access control. There are many ways to specify which function is being accessed, not just the URL.</p></li>
 +
<li>We merged and broadened 2010-A7 & 2010-A9 to CREATE: <u>2013-A6: Sensitive Data Exposure</u>:
 +
<p style="padding-left: 2em; text-indent: -2em;">
 +
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;This new category was created by merging 2010-A7 – Insecure Cryptographic Storage  & 2010-A9 - Insufficient Transport Layer Protection, plus adding browser side sensitive data risks as well. This new category covers sensitive data protection (other than access control which is covered by 2013-A4 and 2013-A7) from the moment sensitive data is provided by the user, sent to and stored within the application, and then sent back to the browser again.</p></li>
 +
<li>We added: <u>2013-A9: Using Components with Known Vulnerabilities</u>:
 +
<p style="padding-left: 2em; text-indent: -2em;">
 +
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;This issue was mentioned as part of 2010-A6 – Security Misconfiguration, but now has a category of its own as the growth and depth of component based development has significantly increased the risk of using components with known vulnerabilities.</p></li>
 +
</ol>
 +
{{Top_10:SubsectionTableEndTemplate}}
  
 
<center>
 
<center>
{| style="width: 100%; align:center; text-align:center; border:2px solid #4F81BD; background-color:#F2F2F2; padding=2;"  
+
{| style="width: 99%; align:center; text-align:center; border: 2px solid #4d953d; background-color:#F2F2F2; padding=2;"  
|- style="background-color: #4F81Bd; color: #FFFFFF;"
+
|- style="background-color: #4d953d; color: #FFFFFF;"
! OWASP Top 10 - 2007 (Previous Version) !! OWASP Top 10 - 2010 (Current Version)
+
! OWASP Top 10 - 2010 (Previous Version) !! OWASP Top 10 - 2013 (Current Version)
 
|- style="background-color: #FFFFFF;"  
 
|- style="background-color: #FFFFFF;"  
| [[Top_10_2007-A2 | A2-Injection Flaws]]
 
 
| [[Top_10_2010-A1 | A1-Injection]]
 
| [[Top_10_2010-A1 | A1-Injection]]
 +
| [[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A1-{{Top_10_2010:ByTheNumbers|1|language=en|year=2013}}|A1-{{Top_10_2010:ByTheNumbers|1|language=en|year=2013}}]]
 +
|- style="background-color: #FFFFFF;"
 +
| [[Top_10_2010-A3 | A3-Broken Authentication and Session Management]]
 +
| [[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A2-{{Top_10_2010:ByTheNumbers|2|language=en|year=2013}}|A2-{{Top_10_2010:ByTheNumbers|2|language=en|year=2013}}]]
 
|- style="background-color: #FFFFFF;"  
 
|- style="background-color: #FFFFFF;"  
| [[Top_10_2007-A1 | A1-Cross Site Scripting (XSS)]]
 
 
| [[Top_10_2010-A2 | A2-Cross Site Scripting (XSS)]]
 
| [[Top_10_2010-A2 | A2-Cross Site Scripting (XSS)]]
 +
| [[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A3-{{Top_10_2010:ByTheNumbers|3|language=en|year=2013}}|A3-{{Top_10_2010:ByTheNumbers|3|language=en|year=2013}}]]
 
|- style="background-color: #FFFFFF;"  
 
|- style="background-color: #FFFFFF;"  
| [[Top_10_2007-A7 | A7-Broken Authentication and Session Management]]
+
| [[Top_10_2010-A4 | A4-Insecure Direct Object Reference]]
| [[Top_10_2010-A3 | A3-Broken Authentication and Session Management]]
+
| [[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A4-{{Top_10_2010:ByTheNumbers|4|language=en|year=2013}}|A4-{{Top_10_2010:ByTheNumbers|4|language=en|year=2013}}]]
 
|- style="background-color: #FFFFFF;"  
 
|- style="background-color: #FFFFFF;"  
| [[Top_10_2007-A4 | A4-Insecure Direct Object Reference]]
+
| [[Top_10_2010-A6 | A6-Security Misconfiguration]]
| [[Top_10_2010-A4 | A4-Insecure Direct Object References]]
+
| [[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A5-{{Top_10_2010:ByTheNumbers|5|language=en|year=2013}}|A5-{{Top_10_2010:ByTheNumbers|5|language=en|year=2013}}]]
 +
|- style="background-color: #D7D6C0;"
 +
| [[Top_10_2010-A7 | A7-Insecure Cryptographic Storage - Merged with A9 -->]]
 +
| [[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A6-{{Top_10_2010:ByTheNumbers|6|language=en|year=2013}}|A6-{{Top_10_2010:ByTheNumbers|6|language=en|year=2013}}]]
 +
|- style="background-color: #D7D6C0;"
 +
| [[Top_10_2010-A8 | A8-Failure to Restrict URL Access - Broadened into -->]]
 +
| [[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A7-{{Top_10_2010:ByTheNumbers|7|language=en|year=2013}}|A7-{{Top_10_2010:ByTheNumbers|7|language=en|year=2013}}]]
 
|- style="background-color: #FFFFFF;"  
 
|- style="background-color: #FFFFFF;"  
 
| [[Top_10_2007-A5 | A5-Cross Site Request Forgery (CSRF)]]
 
| [[Top_10_2007-A5 | A5-Cross Site Request Forgery (CSRF)]]
| [[Top_10_2010-A5 | A5-Cross Site Request Forgery (CSRF)]]
+
| [[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A8-{{Top_10_2010:ByTheNumbers|8|language=en|year=2013}}|A8-{{Top_10_2010:ByTheNumbers|8|language=en|year=2013}}]]
 
|- style="background-color: #D7D6C0;"  
 
|- style="background-color: #D7D6C0;"  
| [[A10_2004_Insecure_Configuration_Management | (was T10 2004 A10 - Insecure Configuration Management)]]
+
| [[Top_10_2010-A6 | <buried in A6: Security Misconfiguration>]]
| [[Top_10_2010-A6 | A6 Security Misconfiguration (NEW)]]
+
| [[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A9-{{Top_10_2010:ByTheNumbers|9|language=en|year=2013}}|A9-{{Top_10_2010:ByTheNumbers|9|language=en|year=2013}}]]
 
|- style="background-color: #FFFFFF;"  
 
|- style="background-color: #FFFFFF;"  
| [[Top_10_2007-A8 | A8-Insecure Cryptographic Storage]]
+
| [[Top_10_2010-A10 | A10-Unvalidated Redirects and Forwards]]
| [[Top_10_2010-A7 | A7-Insecure Cryptographic Storage]]
+
| [[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A10-{{Top_10_2010:ByTheNumbers|10|language=en|year=2013}}|A10-{{Top_10_2010:ByTheNumbers|10|language=en|year=2013}}]]
|- style="background-color: #FFFFFF;"
+
|- style="background-color: #E6B9B8;"  
| [[Top_10_2007-A10 | A10-Failure to Restrict URL Access]]
+
| [[Top_10_2010-A8 | A8-Failure to Restrict URL Access]]
+
|- style="background-color: #FFFFFF;"  
+
| [[Top_10_2007-A9 | A9-Insecure Communications]]
+
 
| [[Top_10_2010-A9 | A9-Insufficient Transport Layer Protection]]
 
| [[Top_10_2010-A9 | A9-Insufficient Transport Layer Protection]]
|- style="background-color: #D7D6C0;"
+
| Merged with [[Top_10_2010-A7 | 2010-A7]] into [[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A6-{{Top_10_2010:ByTheNumbers|6|language=en|year=2013}}|2013-A6]]
| (not in 2007 Top 10)
+
| [[Top_10_2010-A10 | A10-Unvalidated Redirects and Forwards (NEW)]]
+
|- style="background-color: #E6B9B8;"
+
| [[Top_10_2007-A3 | A3-Malicious File Execution]]
+
| <dropped from 2010 Top 10>
+
|- style="background-color: #E6B9B8;"
+
| [[Top_10_2007-A6 | A6-Information Leakage and Improper Error Handling]]
+
| <dropped from 2010 Top 10>
+
 
|}
 
|}
 
</center>
 
</center>
{{Top_10_2013:BottomTemplate|usenext=2013NextLink|useprev=2013PrevLink|prev=Introduction|next=Main}}
+
{{Top_10_2013:BottomTemplate
[[Category:OWASP Top Ten Project]]
+
  |usenext=2013NextLink
 +
  |useprev=2013PrevLink
 +
  |next={{Top_10:LanguageFile|text=risk|year=2013|language=en}}
 +
  |useprev=2013PrevLink
 +
  |prev={{Top_10:LanguageFile|text=introduction|year=2013|language=en}}
 +
  |year=2013
 +
  |language=en
 +
}}

Latest revision as of 04:34, 5 July 2013

← Introduction
2013 Table of Contents

2013 Top 10 List

Risk →
What Changed From 2010 to 2013?

The threat landscape for applications security constantly changes. Key factors in this evolution are advances made by attackers, the release of new technologies with new weaknesses as well as more built in defenses, and the deployment of increasingly complex systems. To keep pace, we periodically update the OWASP Top 10. In this 2013 release, we made the following changes:

  1. Broken Authentication and Session Management moved up in prevalence based on our data set. Probably because this area is being looked at harder, not because issues are actually more prevalent. This caused Risks A2 and A3 to switch places.
  2. Cross-Site Request Forgery (CSRF) moved down in prevalence based on our data set from 2010-A5 to 2013-A8. We believe this is because CSRF has been in the OWASP Top 10 for 6 years, and organizations and framework developers have focused on it enough to significantly reduce the number of CSRF vulnerabilities in real world applications.
  3. We broadened Failure to Restrict URL Access from the 2010 OWASP Top 10 to be more inclusive:

    +     2010-A8: Failure to Restrict URL Access is now 2013-A7: Missing Function Level Access Control – to cover all of function level access control. There are many ways to specify which function is being accessed, not just the URL.

  4. We merged and broadened 2010-A7 & 2010-A9 to CREATE: 2013-A6: Sensitive Data Exposure:

    -     This new category was created by merging 2010-A7 – Insecure Cryptographic Storage & 2010-A9 - Insufficient Transport Layer Protection, plus adding browser side sensitive data risks as well. This new category covers sensitive data protection (other than access control which is covered by 2013-A4 and 2013-A7) from the moment sensitive data is provided by the user, sent to and stored within the application, and then sent back to the browser again.

  5. We added: 2013-A9: Using Components with Known Vulnerabilities:

    +     This issue was mentioned as part of 2010-A6 – Security Misconfiguration, but now has a category of its own as the growth and depth of component based development has significantly increased the risk of using components with known vulnerabilities.

OWASP Top 10 - 2010 (Previous Version) OWASP Top 10 - 2013 (Current Version)
A1-Injection A1-Injection
A3-Broken Authentication and Session Management A2-Broken Authentication and Session Management
A2-Cross Site Scripting (XSS) A3-Cross-Site Scripting (XSS)
A4-Insecure Direct Object Reference A4-Insecure Direct Object References
A6-Security Misconfiguration A5-Security Misconfiguration
A7-Insecure Cryptographic Storage - Merged with A9 --> A6-Sensitive Data Exposure
A8-Failure to Restrict URL Access - Broadened into --> A7-Missing Function Level Access Control
A5-Cross Site Request Forgery (CSRF) A8-Cross-Site Request Forgery (CSRF)
<buried in A6: Security Misconfiguration> A9-Using Components with Known Vulnerabilities
A10-Unvalidated Redirects and Forwards A10-Unvalidated Redirects and Forwards
A9-Insufficient Transport Layer Protection Merged with 2010-A7 into 2013-A6
← Introduction
2013 Table of Contents

2013 Top 10 List

Risk →

© 2002-2013 OWASP Foundation This document is licensed under the Creative Commons Attribution-ShareAlike 3.0 license. Some rights reserved. CC-by-sa-3 0-88x31.png