The OWASP Top Ten Project has released a final version of the Top Ten for 2010.
In this new version, the focus has shifted to become more risk oriented. There is less emphasis on "vulnerabilities" and a greater focus on identifying meaningful risk. Risk is identified by utilizing a methodology that explicitly calls out threat agents, attack vectors, weakness prevalence, technical impact and business impact.
For 2010, the OWASP Top 10 Web Application Security Risks are:
- A1: Injection
- A2: Cross-Site Scripting (XSS)
- A3: Broken Authentication and Session Management
- A4: Insecure Direct Object References
- A5: Cross-Site Request Forgery (CSRF)
- A6: Security Misconfiguration
- A7: Insecure Cryptographic Storage
- A8: Failure to Restrict URL Access
- A9: Insufficient Transport Layer Protection
- A10: Unvalidated Redirects and Forwards
The final document is available from:
- OWASP_Top_10_-_2010.pdf (Google Code)
- OWASP_Top_10_-_2010.pdf(Google Docs)
- OWASP_Top_10_-_2010.pdf (local mirror)
Personally, I'm glad to see the return of a misconfiguration category (A6: Security Misconfiguration). This is a reprise of the old Insecure Configuration Management from the 2004 version. The failure to provide secure configurations is a more frequent problem than many people like to admit.