The OWASP Top 10 Vulnerabilities for 2010 (release candidate 1)

The OWASP Top 10 is a set of classes of vulnerabilities that are very high risk. They are provided as a tool that application developers can use to judge whether their application meets best practices based on whether or not it has facilities to deal with these top 10 items.

The OWASP community releases a new version every few years as the security world changes. For 2010 they are working to make sure that people realize that this is not just a list of 10 items, but that they are sorted by their risk (risk being likelihood times exposure). Their judgment of risk is general across the whole internet, so a specific application or site may end up with a different top 10.

The OWASP Top 10- List:

A1 – Injection
A2 – Cross Site Scripting (XSS)
A3 – Broken Authentication and Session Management
A4 – Insecure Direct Object References
A5 – Cross Site Request Forgery (CSRF)
A6 – Security Misconfiguration (NEW)
A7 – Failure to Restrict URL Access
A8 – Unvalidated Redirects and Forwards (NEW)
A9 – Insecure Cryptographic Storage
A10 - Insufficient Transport Layer Protection

Framework for deciding on the top 10

So, what is the risk framework they are using? They rank vulnerabilities on 4 characteristics:

Attack vector - how hard is it to exploit (xss and sql injection are often easier than csrf).
Weakness prevalance - how commonly it occurs.
Weakness detectability - how easy it is for an attacker to find vulnerable sites.
Technical impact - how badly a site or business will be affected if they have the vulnerability.

Rather than reviewing each element, Dave Wichers is making the slides available as part of the OWASP tools so that local chapters can review these or individuals can review them.

Resources for dealing with the OWASP Top 10

In addition to these slides, they are working to provide prevention cheat sheets for the top 10:

This is the "release candidate 1" for the OWASP Top 10 list for 2010 - they are now accepting input on the list.

General OWASP resources

Some more great resources:

The Book, The Report

Cracking Drupal: A Drop in the Bucket

Written by a Drupal expert, this is the first book to reveal the vulnerabilities and security issues that exist in the sites that have been built with Drupal and how to prevent them from continuing.

Drupal Security White Paper

Curious about Drupal's security? Consider Drupal but want to make sure it's good enough? Read the Drupal Security Report

Security Review Module

If you are concerned about whether your site is secure, consider using the Security Review Module to get a free review of your site's security health. Did it find problems? Consider hiring a security expert from Drupal Scout to audit your site.

Recent Blog Posts

Why counting vulnerabilities is not a sufficient method of comparing product security

Posted by greggles

0 comments
Notes from Linux Security Tunables by Kees Cook

Posted by greggles

0 comments
Cracking Drupal Kindle Edition now available for $14.84 (Still relevant for Drupal 7)

Posted by greggles

0 comments