By Jason Rhykerd, CISSP, Security Audit and Assessment Manager
Whoever first said, “you get what you pay for” obviously didn’t know about the Open Web Application Security Project (OWASP). OWASP is a not-for-profit worldwide charitable organization focused on improving the security of application software and can be found on the Internet @ www.owasp.org.
The developers I speak with on a continued basis that do not know about this wonderful resource continually surprise me. OWASP has been a critical resource for me ever since the first web application security project I was given.
OWASP has many projects that range from prevention to detection to testing to education. I would like to use this blog posting to raise the awareness about The OWASP Top 10 project.
The OWASP Top 10 was first released in 2003 with updates in 2004 and 2007. Just recently, the 2010 version was finalized after multiple requests for comment. The “Top 10” is an awareness document for web application security and represents a consensus about what the most critical web application security flaws are. The list is focused not just on specific flaws, but also the risks associated with them.
This year’s release can be used to educate users on any level about web security. The document is chocked full of details and examples explaining how it poses a risk, how you can identify it, and how you can work to prevent or mitigate it.
If you haven’t yet, click over to get yourself a copy of the 2010 version of the “Top Ten.”
The OWASP Top 10 Web Application Security Risks for 2010 are:
- A1: Injection
- A2: Cross-Site Scripting (XSS)
- A3: Broken Authentication and Session Management
- A4: Insecure Direct Object References
- A5: Cross-Site Request Forgery (CSRF)
- A6: Security Misconfiguration
- A7: Insecure Cryptographic Storage
- A8: Failure to Restrict URL Access
- A9: Insufficient Transport Layer Protection
- A10: Unvalidated Redirects and Forwards
Remember its not about “if” it will happen anymore, it’s “when.” Make sure your organization is prepared by educating your developers and security staff. It’s about more than just running an automated scanning tool.