The Open Web Application Security Project has just released its annual Top 10 risks for developers for 2013. OWASP is an open community that provides the industry standard for improving application security and has been releasing its Top 10 list since 2003.
Because of the widespread use of OWASP as an industry benchmark, cyber-security analysts offer some cautionary advice when evaluating OWASP.
Fellow blogger, Vincent Liu, stresses the need to prioritize risk that an organization is facing and just “because a threat is new doesn’t mean it’s always worth your time to go chasing after it. And just because something shows up at the top of the OWASP Top 10 doesn’t mean it’s the most important problem facing your organization.”
Rohit Sethi, writing in the SD Times, reminds us that The Top list is not meant to be a prescriptive guide for software development, but that many treat it that way. Rohit states that OWASP is “simply too broad to be used for specific requirements” and uses the example of the sensitive data exposure category which “is much more open-ended and could mean several things.”
Below is the complete list:
1. Injection
2. Broken Authentication and Session Management
3. Cross-Site Scripting (XSS)
4. Insecure Direct Object References
5. Security Misconfiguration A6-Sensitive Data Exposure
6. Sensitive Data Exposure
7. Missing Function Level Access Control A8-Cross-Site Request Forgery (CSRF)
8. Cross-Site Request Forgery (CSRF)
9. Using Components with Known Vulnerabilities
10. Unvalidated Redirects and Forwards
More details are available on the OWASP site:
https://www.owasp.org/index.php/Top_10_2013-Top_10