OWASP Top Ten for 2010 Released

The OWASP Top Ten Project has released a final version of the Top Ten for 2010.

In this new version, the focus has shifted to become more risk oriented. There is less emphasis on "vulnerabilities" and a greater focus on identifying meaningful risk. Risk is identified by utilizing a methodology that explicitly calls out threat agents, attack vectors, weakness prevalence, technical impact and business impact.

For 2010, the OWASP Top 10 Web Application Security Risks are:

  • A1: Injection
  • A2: Cross-Site Scripting (XSS)
  • A3: Broken Authentication and Session Management
  • A4: Insecure Direct Object References
  • A5: Cross-Site Request Forgery (CSRF)
  • A6: Security Misconfiguration
  • A7: Insecure Cryptographic Storage
  • A8: Failure to Restrict URL Access
  • A9: Insufficient Transport Layer Protection
  • A10: Unvalidated Redirects and Forwards

The final document is available from:

Personally, I'm glad to see the return of a misconfiguration category (A6: Security Misconfiguration). This is a reprise of the old Insecure Configuration Management from the 2004 version. The failure to provide secure configurations is a more frequent problem than many people like to admit.

Posted by gfleischer on 2010/04/19 at 19:47 in Security


RSS 2.0
Quick Links

Valid XHTML 1.0 Transitional Valid CSS!