The Open Web Application Security Project, OWASP, has published the 2010 version of its top 10 web application security risks, the first revamp since 2007. Recognised as a key information tool for developers and security professionals, the OWASP top 10 is referenced in many security standards including PCI DSS.
Although there are many similarities with the 2007 edition, the emphasis has been changed to reflect security risks rather than just vulnerabilities. Prominent as ever are cross site scripting, XSS, and injection vulnerabilities which have caught out both Apache and Amazon in recent weeks.
Added to the Top 10 is Security Misconfiguration. Left out of the 2007 edition as it wasn't considered to be a software issue, it was re-added to reflect the emphasis on risk. Also new is Unvalidated Redirects and Forwards. Relatively unknown as an issue, OWASP suggests that that its potential for damage is high.
Removed from the Top 10 is Malicious File Execution. Although still an issue, improvements in the default configuration of PHP where the problem was most widespread, has led to a reduction in incidents. Information Leakage and Improper Error Handling is also removed. Again, while still prevalent direct risk is minimal.
No comments:
Post a Comment