OWASP top ten of web application security risks released
The Open Web Application Security Project (OWASP) has published its top ten of most critical web application security risks. Updating its list from 2010, the organisation notes that threats from both cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks went down in importance and problems with broken authentication and session management procedures moved up into the second spot. Meanwhile, code injections have retained their place at the top of the list.
OWASP top ten of web application security risks
- Injection (1)
- Broken Authentication and Session Management (3)
- Cross-Site Scripting (XSS) (2)
- Insecure Direct Object References (4)
- Security Misconfiguration (6)
- Sensitive Data Exposure (7/9)
- Missing Function Level Access Control (8)
- Cross-Site Request Forgery (CSRF) (5)
- Using Known Vulnerable Components (-)
- Unvalidated Redirects and Forwards (10)
Position in the 2010 report shown in brackets.
The OWASP Top Ten report was published for the first time ten years ago and is a respected resource among web developers and security experts. The report is published every three years and its focus has recently shifted more towards general security risks instead of potential vulnerabilities. The newest report was compiled based on over 500,000 vulnerabilities in several thousand applications from hundreds of companies.
OWASP merged the entries for insecure cryptographic storage and insufficient transport layer protection into a new category called "sensitive data exposure" that deals with security problems arising from data leaks in general. Similarly, the 2010 entry for "failure to restrict URL access" was broadened into a more general entry for problems with function-level access control because there are many ways, not just via URLs, to access the functionality of a modern web application.
A completely new category was introduced for administrators who use known vulnerable components such as libraries, frameworks and modules. In the report from three years ago, this was included within the "security misconfiguration" category, but OWASP says that this sort of problem has become important enough to warrant its own entry on the list.