Wednesday, 12 June 2013

New OWASP Top Ten 2013 released, actually its gone to a Top 11

Today, OWASP officially released their updated list of the Top 10 Web Application (website) risks.

The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organisations to develop, purchase, and maintain applications that can be trusted. The Top 10 list identifies some of the most critical risks facing organisations in web application security, and is a trusted resource and is often referred as the best practice to adhere to in application security within the information security industry.

OWASP update their Top 10 list every three years, this, the latest OWASP Top 10 list was released today on 12 June 2013.

OWASP Top 10 2013
A1 Injection
A2 Broken Authentication and Session Management
A3 Cross-Site Scripting (XSS)
A4 Insecure Direct Object References
A5 Security Misconfiguration
A6 Sensitive Data Exposure
A7 Missing Function Level Access Control
A8 Cross-Site Request Forgery (CSRF)
A9 Using Known Vulnerable Components
A10 Unvalidated Redirects and Forwards

What's Changed?  A Top 11?
In comparison to the last 2010 release, it's actually a Top 11, as added to the list is "A9 Using Known Vulnerable Components", which highlights the risk with developers using third party plugins, which poses a risk of having or introducing vulnerabilities if unvetted, and may even act as malicious trojans, introducing covert data theft and backdoors. This is a risk often associated with website Contain Management Systems (CMS) like Joomla and Drupal, where active communities freely provide thousands of third party modules which developers can snap into their websites, even though most modern CMS systems do a decent job in protecting themselves from such third party modules, they still present a risk which needs to be addressed by developers.

To accommodate this addition, the previously 2010 Top 10 list "A7 Insecure Cryptographic Storage" and "A9 Insufficient Transport Layer Protection" entries, have been merged into a single "A6 Sensitive Data Exposure" entry. So technically speaking nothing has been removed from the list, and there is one addition, hence the Top 11 comment.

Finally the Top 10 list is just that, the 10 most prominent application security risks, other risk are available, see the OWASP website for further details.

No comments: