http://crackingdrupal.com/taxonomy/term/41/0 en http://crackingdrupal.com/blog/greggles/owasp-top-10-vulnerabilities-2010-release-candidate-1 <p>The OWASP Top 10 is a set of classes of vulnerabilities that are very high risk. They are provided as a tool that application developers can use to judge whether their application meets best practices based on whether or not it has facilities to deal with these top 10 items.</p> <p>The OWASP community releases a new version every few years as the security world changes. For 2010 they are working to make sure that people realize that this is not just a list of 10 items, but that they are sorted by their risk (risk being likelihood times exposure). Their judgment of risk is general across the whole internet, so a specific application or site may end up with a different top 10.</p> <h3>The OWASP Top 10- List:</h3> <ul> <li>A1 – Injection</li> <li>A2 – Cross Site Scripting (XSS)</li> <li>A3 – Broken Authentication and Session Management</li> <li>A4 – Insecure Direct Object References</li> <li>A5 – Cross Site Request Forgery (CSRF)</li> <li>A6 – Security Misconfiguration (NEW)</li> <li>A7 – Failure to Restrict URL Access</li> <li>A8 – Unvalidated Redirects and Forwards (NEW)</li> <li>A9 – Insecure Cryptographic Storage</li> <li>A10 - Insufficient Transport Layer Protection</li> </ul> <h3>Framework for deciding on the top 10</h3> <p>So, what is the risk framework they are using? They rank vulnerabilities on 4 characteristics:</p> <ol> <li>Attack vector - how hard is it to exploit (xss and sql injection are often easier than csrf).</li> <li>Weakness prevalance - how commonly it occurs.</li> <li>Weakness detectability - how easy it is for an attacker to find vulnerable sites.</li> <li>Technical impact - how badly a site or business will be affected if they have the vulnerability.</li> </ol> <p>Rather than reviewing each element, Dave Wichers is making the slides available as part of the OWASP tools so that local chapters can review these or individuals can review them.</p> <h3>Resources for dealing with the OWASP Top 10</h3> <p>In addition to these slides, they are working to provide prevention cheat sheets for the top 10:</p> <ul> <li><a href="http://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet">XSS Prevention cheat sheet</a></li> <li><a href="http://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet">Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet</a></li> <li><a href="http://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet">SQL Injection Prevention Cheat Sheet</a></li> <li><a href="http://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet">Transport Layer Protection Cheat Sheet (also known as SSL)</a></li> </ul> <p>This is the "release candidate 1" for the OWASP Top 10 list for 2010 - they are now accepting input on the list.</p> <h3>General OWASP resources</h3> <p>Some more great resources:</p> <ul> <li><a href="http://www.owasp.org/index.php/Guide" title="http://www.owasp.org/index.php/Guide">http://www.owasp.org/index.php/Guide</a></li> <li><a href="http://www.owasp.org/index.php/ASVS" title="http://www.owasp.org/index.php/ASVS">http://www.owasp.org/index.php/ASVS</a></li> <li><a href="http://www.owasp.org/index.php/EASPI" title="http://www.owasp.org/index.php/EASPI">http://www.owasp.org/index.php/EASPI</a></li> <li><a href="http://www.owasp.org/index.php/Code_Review_Guide" title="http://www.owasp.org/index.php/Code_Review_Guide">http://www.owasp.org/index.php/Code_Review_Guide</a></li> <li><a href="http://www.owasp.org/index.php/Testing_Guide" title="http://www.owasp.org/index.php/Testing_Guide">http://www.owasp.org/index.php/Testing_Guide</a></li> </ul> http://crackingdrupal.com/blog/greggles/owasp-top-10-vulnerabilities-2010-release-candidate-1#comments metrics risk vulnerabilities Fri, 13 Nov 2009 18:56:07 +0000 greggles 45 at http://crackingdrupal.com