On April 19, 2010 we released the final version of the OWASP Top 10 for 2010, and here is the associated press release.
This version was updated based on numerous comments received during the
comment period after the release candidate was released in Nov. 2009.
The OWASP Top 10 Web Application Security Risks for 2010 are:
- A1: Injection
- A2: Cross-Site Scripting (XSS)
- A3: Broken Authentication and Session Management
- A4: Insecure Direct Object References
- A5: Cross-Site Request Forgery (CSRF)
- A6: Security Misconfiguration
- A7: Insecure Cryptographic Storage
- A8: Failure to Restrict URL Access
- A9: Insufficient Transport Layer Protection
- A10: Unvalidated Redirects and Forwards
Please help us make sure every developer in the ENTIRE WORLD knows about the OWASP Top 10 by helping to spread the word!!!
As you help us spread the word, please emphasize:
- OWASP is reaching out to developers, not just the application security community
- The Top 10 is about managing risk, not just avoiding vulnerabilities
- To manage these risks, organizations need an application risk
management program, not just awareness training, app testing, and
remediation
We need to encourage organizations to get off the penetrate and patch
mentality. As Jeff Williams said in his 2009 OWASP AppSec DC Keynote:
“we’ll never hack our way secure – it’s going to take a culture change”
for organizations to properly address application security.
If you are interested in doing a presentation on the OWASP Top 10, please feel free to use all or parts of this:
Introduction
The OWASP Top Ten provides a powerful awareness document for web
application security. The OWASP Top Ten represents a broad consensus
about what the most critical web application security flaws are. Project
members include a variety of security experts from around the world who
have shared their expertise to produce this list. Versions of the 2007
were translated into English, French, Spanish, Japanese, Korean and
Turkish and other languages. Translation efforts for the 2010 version
are underway and they will be posted as they become available.
We urge all companies to adopt this awareness document within
their organization and start the process of ensuring that their web
applications do not contain these flaws. Adopting the OWASP Top Ten is
perhaps the most effective first step towards changing the software
development culture within your organization into one that produces
secure code.