Monday, April 19, 2010


Hopefully you've seen this all over the place by now, but if not...

OWASP released their updated Top Ten list for 2010 today.  From the site:

"The OWASP Top Ten provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are...

We urge all companies to adopt this awareness document within their organization and start the process of ensuring that their web applications do not contain these flaws. Adopting the OWASP Top Ten is perhaps the most effective first step towards changing the software development culture within your organization into one that produces secure code. "

The full 22 page PDF can be seen here (opens in Google Docs because I don't trust PDFs. Not that I trust Google, either, come to think of it).

This year's list includes a completely new list of problems we have never seen before.  No, wait, this is stuff we've been fighting for years.  We need to get the word out to the right people, and it is pretty clear that we have a way to go on that front.  This years' Top Ten features:

  • A1: Injection
  • A2: Cross-Site Scripting (XSS)
  • A3: Broken Authentication and Session Management
  • A4: Insecure Direct Object References
  • A5: Cross-Site Request Forgery (CSRF)
  • A6: Security Misconfiguration
  • A7: Insecure Cryptographic Storage
  • A8: Failure to Restrict URL Access
  • A9: Insufficient Transport Layer Protection
  • A10: Unvalidated Redirects and Forwards

Read 'em and weep.  Or, better yet, read 'em, and spread the word.