The top ten security holes for web developers
The security experts at the Open Web Application Security Project (OWASP) have updated their Top 10 list of web application vulnerabilities. The OWASP previously released lists in 2004 and in 2007. OWASP board member Dave Wichers said that, in the updated list, the project discusses potential risks as well as the possible vulnerabilities.
Wichers said "Attempts to prioritise vulnerabilities without context just don’t make sense". According to the release, this new focus on risks is intended to lead organisations to a more mature understanding and management of application security.
The OWASP says that the 22 page 2010 update, is based on more sources of web application vulnerability information than previous reports. According to the organisation, the information is now also presented in a clearer, more concise way and includes stronger references to the various openly available resources that can help address each issue, for instance OWASP's Enterprise Security API (ESAPI) and Application Security Verification Standard (ASVS).
OWASP's Top 10 risks that are most likely to be relevant to web developers in 2010 are:
- Cross-Site Scripting (XSS)
- Broken Authentication and Session Management
- Insecure Direct Object References
- Cross-Site Request Forgery (CSRF)
- Security Misconfiguration
- Insecure Cryptographic Storage
- Failure to Restrict URL Access
- Insufficient Transport Layer Protection
- Unvalidated Redirects and Forwards
The Open Web Application Security Project's Top 10 list is not the only initiative that tries to prioritise the most important security issues. In February, the MITRE and SANS institutes released the second edition of the 25 most dangerous programming errors, a list commissioned by various companies and organisations, including OWASP.
- OWASP Top 10 for 2010 released, press release from OWASP.
- Top 25 Programming Errors list updated, a report from The H.