The Open Web Application Security Project (OWASP) was started in 2001 with the avowed mission of ‘making software security visible, so that individuals and organizations worldwide can make informed discussions about true software risks.’ Since then OWASP’s influence has grown to the point that their Top 10 project is referenced by many standards, books, tools, and organizations, including MITRE, PCI DSS, DISA, FTC and more. The Top 10 project aims to raise application security awareness by ranking the most critical risks organizations face. The OWASP Top 10 for 2013 is based on 8 datasets from 7 firms that specialize in application security, including 4 consulting companies and 3 tool/SaaS vendors (1 static, 1 dynamic, and 1 with both). The data spans over 500,000 vulnerabilities across hundreds of organizations and thousands of applications. The Top 10 items are selected and prioritized according to this prevalence data, in combination with consensus estimates of exploitability, detectability, and impact estimates.
When the 2013 list was published in June – the first major update in 3 years – injection flaws were once again listed as the number 1 risk. The list in full is:
- Broken Authentication and Session Management
- Cross-Site Scripting (XSS)
- Insecure Direct Object References
- Security Misconfiguration
- Sensitive Data Exposure
- Missing Function Level Access Control
- Cross-Site Request Forgery (CSRF)
- Using Components with Known Vulnerabilities
- Unvalidated Redirects and Forwards
The main changes to note in the 2013 edition are the inclusion of three new categories of risk: Missing Function Level Access Control; Sensitive Data Exposure; and Using Components with Known Vulnerabilities. Missing Function Level Access Control is a broadening of the Failure to Restrict URL Access category from the 2010 list. Sensitive Data Exposure is a merger of the Insecure Cryptographic Storage and Insufficient Layer Protection categories from 2010 list, plus adding browser side sensitive data risks as well. The new category also covers sensitive data protection (other than access control which is covered by Missing Function Level Access Control) from the moment sensitive data is provided by the user, sent to and stored within the application, and then sent back to the browser again. The final and possibly most noteworthy new feature on the 2013 list is the addition of Using Known Vulnerable Components to the list. This issue now has a category of its own as the continued growth and depth of component based development has greatly increased the risk of using known vulnerable components.
The OWASP Top Ten has seen relatively little change since it debuted in 2003. In spite of the 3 new additions in the 2013 Top Ten, the substance of the previous list remains intact. In fact, while some categories were merged, not one risk listed in 2010 was completely removed. With the publication of an altogether familiar looking list in 2013 some have questioned the progress being made in application security. What isn’t up for debate, however, is the important role the OWASP now performs in application security. The Top Ten list is an awareness document and also acts as an important starting point in any organization’s application security.
Learn More: www.owasp.org/index.php/Top_10_2013-Top_10