The Open Web Application Security Project (OWASP) recently released the 2013 version of their listing of the top 10 risks facing web application developers. As expected the list didn’t change much … just some swapping of places and merging of several items. The most significant changes we noticed were the dropping of “Cross-Site Request Forgery (CSRF)” from fifth to eighth and a new “Using Known Vulnerable Components” entry.
You can find out more about the OWASP Top 10 by visiting the project page. Standard warning here … the OWASP Top 10 list is only meant for awareness reasons … and not a prescriptive document. Here is a useful listing of the 2013 Top 10 as compared to the 2010 Top 10.
- A1 Injection
- A2 Broken Authentication and Session Management (was formerly 2010-A3)
- A3 Cross-Site Scripting (XSS) (was formerly 2010-A2)
- A4 Insecure Direct Object References
- A5 Security Misconfiguration (was formerly 2010-A6)
- A6 Sensitive Data Exposure (2010-A7 Insecure Cryptographic Storage and 2010-A9 Insufficient Transport Layer Protection were merged to form 2013-A6)
- A7 Missing Function Level Access Control (renamed/broadened from 2010-A8 Failure to Restrict URL Access)
- A8 Cross-Site Request Forgery (CSRF) (was formerly 2010-A5)
- A9 Using Known Vulnerable Components (new but was part of 2010-A6 – Security Misconfiguration)
- A10 Unvalidated Redirects and Forwards
And Hack Rising has a nice graphic illustrating the changes as well.
Today’s post pic is from Acunetix.com. See ya!