The Open Web Application Security Project (OWASP) Top Ten project is an ongoing resource for application developers, IT professionals, and security experts outlining and identifying some of the most critical risks facing organizations today. The 2013 release marks the tenth year of the OWASP Top Ten project. Here at Redspin, we utilize the OWASP Top Ten in our Application Security assessments and members of our team have founded an OWASP chapter right here in Santa Barbara! We have introduced the new Top Ten list into our methodologies and deliverables. Give us a call to learn more.
While the OWASP Top 10 is a great reference and baseline for application security, we do not rely strictly on the list as a means to identify risks in your most critical web applications. Sophisticated attacks and exploits exist that cannot be defined in the Top 10 list and need manual analysis by an experienced security engineer.
2013 OWASP Top Ten
Broken Authentication and Session Management
Cross-Site Scripting (XSS)
Insecure Direct Object References
Sensitive Data Exposure
Missing Function Level Access Control
Cross-Site Request Forgery (CSRF)
Using Known Vulnerable Components
Unvalidated Redirects and Forwards
The Broken Authentication and Session Management moved up in rank to the number two spot, most likely due to security being taken more seriously at an authentication and session level. Cross-Site Request Forgery (CSRF) moved down to number eight due to framework developers focusing on shipping code with built-in CSRF protection and mitigations. Failure to Restrict URL Access is now a more broad scope called Missing Function Level Access Control. This change was made to incorporate functions being utilized, not just the URL. A new category called Sensitive Data Disclosure has been created by merging Insecure Cryptographic Storage and Insufficient Transport Layer Protection. Browser side sensitive data risks are also included in this new category. Lastly, a brand new category called Using Known Vulnerable Components has been added as a derivative of the Security Misconfiguration category. External and internal components in web applications are being introduced at a tremendous rate which introduces a new category to cover the vulnerabilities associated with those components.