The OWASP Top 10 Vulnerabilities for 2010 (release candidate 1)

The OWASP Top 10 is a set of classes of vulnerabilities that are very high risk. They are provided as a tool that application developers can use to judge whether their application meets best practices based on whether or not it has facilities to deal with these top 10 items.

The OWASP community releases a new version every few years as the security world changes. For 2010 they are working to make sure that people realize that this is not just a list of 10 items, but that they are sorted by their risk (risk being likelihood times exposure). Their judgment of risk is general across the whole internet, so a specific application or site may end up with a different top 10.

The OWASP Top 10- List:

  • A1 – Injection
  • A2 – Cross Site Scripting (XSS)
  • A3 – Broken Authentication and Session Management
  • A4 – Insecure Direct Object References
  • A5 – Cross Site Request Forgery (CSRF)
  • A6 – Security Misconfiguration (NEW)
  • A7 – Failure to Restrict URL Access
  • A8 – Unvalidated Redirects and Forwards (NEW)
  • A9 – Insecure Cryptographic Storage
  • A10 - Insufficient Transport Layer Protection

Framework for deciding on the top 10

So, what is the risk framework they are using? They rank vulnerabilities on 4 characteristics:

  1. Attack vector - how hard is it to exploit (xss and sql injection are often easier than csrf).
  2. Weakness prevalance - how commonly it occurs.
  3. Weakness detectability - how easy it is for an attacker to find vulnerable sites.
  4. Technical impact - how badly a site or business will be affected if they have the vulnerability.

Rather than reviewing each element, Dave Wichers is making the slides available as part of the OWASP tools so that local chapters can review these or individuals can review them.

Resources for dealing with the OWASP Top 10

In addition to these slides, they are working to provide prevention cheat sheets for the top 10:

This is the "release candidate 1" for the OWASP Top 10 list for 2010 - they are now accepting input on the list.

General OWASP resources

Some more great resources: