OWASP Top 10 2010

The September 2009 SANS Institute Top Cyber Security Risks report revealed that over 60% of Internet attacks were launched against Web applications.

Featured Blog Posts

Khodorkovsky's website attacked amid announcement of sentencing

... read more ...

What is Cross-Site Scripting (XSS)?

Cross site scripting, or XSS, constantly holds the number one spot as the most common ... read more ...

The Big Website Guide to a Hacking Attack

Working in IT, one of the most dreaded calls you can receive is the one ... read more ...

While many would expect 60 percent to be a number sobering enough to get even the most stubborn sites to look more closely at securing their web sites, many web developers, IT managers and site owners are simply not aware of the threats their web applications face.

OWASP

Since 2003, OWASP (Open Web Application Security Project) has been making an effort to inform web decision makers of the 10 most critical web application security flaws are through their Top 10 Project (link to: http://www.owasp.org/index.php/OWASP_Top_10_Project). 2010 marks the third update to this list after a final draft to the original released in 2004 and an update to the list in 2007.

OWASP is “an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted.” Their work is derived from a collaboration of security professionals who serve as volunteers to bring information to the community in an open and unbiased manner. While the organization is not affiliated with any technology or security companies, they do support the use of commercial security products.

The Top 10

The Top 10 project is described by OWASP as:

The OWASP Top 10 provides a powerful awareness document for web application security. The OWASP Top 10 represents a broad consensus about what the most critical web application security flaws are.

One of the most noticeable changes to the Top 10 list is the focus being shifted from a list of the top 10 vulnerabilities to the top 10 risks. The reason for the shift is quite practical, “Actually, it moved from prevalence (which is one factor of likelihood) to risk, which takes into likelihood and prevalence to estimate risk. Organizations care about risk, not just likelihood, and the Top 10 was always about risk (really), but we weren’t as clear as we should be, so this update works to make that much more clear.” Dave Wichers, Project Leader for the Top 10 List.

Additionally, two risks were dropped from this update: Malicious File Execution due to tighter PHP security lowering the prevalence of this problem, and Information Leakage and Improper Error Handling because of a minimal zed impact of disclosing stack trace and error message information.

  1. Injection
  2. Cross Site Scripting (XSS)
  3. Broken Authentication and Session Management
  4. Insecure Direct Object References
  5. Cross Site Request Forgery (CSRF)
  6. Security Misconfiguration
  7. Failure to Restrict URL Access
  8. Unvalidated Redirects and Forwards
  9. Insecure Cryptographic Storage
  10. Insufficient Transport Layer Protection

Injection

Cross Site Scripting

Broken Authentication and Session Management

Insecure Direct Object References

Cross Site Request Forgery (CSRF)

Security Misconfiguration

Failure to Restrict URL Access

Unvalidated Redirects and Forwards

Insecure Cryptographic Storage

Insufficient Transport Layer Protection

Minimizing the Risks

In addition to adopting the OWASP Top 10, the Payment Card Industry (PCI) standard has also made the implementation of a Web Application Firewall an option to fulfill one of the requirements for compliance.

Web Application Firewalls provide a deep inspection of IP packets, filtering malicious requests from reaching the web server while simultaneously weeding out responses that have been deemed inappropriate thus protecting sensitive information from being accessed illicitly.

dotDefender from Applicure works to mitigate risks posed by many of the OWASP Top Ten. As a Web Application Firewall, dotDefender protects your web site, your customers and your applications against:

For more information about how dotDefender can help protect against the risks associated with the top ten list, see the OWASP Best Practices page: Use of Web Application Firewalls.