OWASP releases list of top 10 web application risks

Since 2003, application security researchers and experts from all over the world at the Open Web Application Security Project (OWASP) have carefully monitored the state of web application security and produced an awareness document that is acknowledged and relied on by organizations worldwide, including the PCI Council, DoD, FTC, and countless others.

Today, OWASP has released an updated report capturing the top ten risks associated with the use of web applications in an enterprise. This colorful 22 page report is packed with examples and details that explain these risks to software developers, managers, and anyone interested in the future of web security.

Dave Wichers, OWASP Board member and COO of Aspect Security, has managed the project since its inception. “This year we have revamped the Top 10 to make it clear that we are talking about risks, not just vulnerabilities. Attempts to prioritize vulnerabilities without context just don’t make sense. You can’t make proper business decisions without understanding the threat and impact to your business.” This new focus on risks is intended to lead organizations to more mature understanding and management of application security across their organization.

The OWASP top 10 for 2010 are:

  • Injection
  • Cross-Site Scripting (XSS)
  • Broken Authentication and Session Management
  • Insecure Direct Object References
  • Cross-Site Request Forgery (CSRF)
  • Security Misconfiguration
  • Insecure Cryptographic Storage
  • Failure to Restrict URL Access
  • Insufficient Transport Layer Protection
  • Unvalidated Redirects and Forwards.