In association with heise online

20 April 2010, 13:05

The top ten security holes for web developers

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

OWASP Logo The security experts at the Open Web Application Security Project (OWASP) have updated their Top 10 list of web application vulnerabilities. The OWASP previously released lists in 2004 and in 2007. OWASP board member Dave Wichers said that, in the updated list, the project discusses potential risks as well as the possible vulnerabilities.

Wichers said "Attempts to prioritise vulnerabilities without context just don’t make sense". According to the release, this new focus on risks is intended to lead organisations to a more mature understanding and management of application security.

The OWASP says that the 22 page 2010 updatePDF, is based on more sources of web application vulnerability information than previous reports. According to the organisation, the information is now also presented in a clearer, more concise way and includes stronger references to the various openly available resources that can help address each issue, for instance OWASP's Enterprise Security API (ESAPI) and Application Security Verification Standard (ASVS).

OWASP's Top 10 risks that are most likely to be relevant to web developers in 2010 are:

  • Injection
  • Cross-Site Scripting (XSS)
  • Broken Authentication and Session Management
  • Insecure Direct Object References
  • Cross-Site Request Forgery (CSRF)
  • Security Misconfiguration
  • Insecure Cryptographic Storage
  • Failure to Restrict URL Access
  • Insufficient Transport Layer Protection
  • Unvalidated Redirects and Forwards

The Open Web Application Security Project's Top 10 list is not the only initiative that tries to prioritise the most important security issues. In February, the MITRE and SANS institutes released the second edition of the 25 most dangerous programming errors, a list commissioned by various companies and organisations, including OWASP.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit