[Owasp-Malaysia] OWASP TOP 10 FOR 2010 RELEASED

[Mohd Fazli Azran Abd Malek]

*OWASP TOP 10 FOR 2010 RELEASED*

*Will You Help Us Reach Every Web Developer in the World?*

* *

Columbia, MD 4/19/2010 —



Since 2003, application security researchers and experts from all over the
world at the Open Web Application Security Project (OWASP) have carefully
monitored the state of web application security and produced an awareness
document that is acknowledged and relied on by organizations worldwide,
including the PCI, DOD, FTC, and countless others.



Today, OWASP has released an updated report capturing the top ten risks
associated with the use of web applications in an enterprise. This colorful
22 page report is packed with examples and details that explain these risks
to software developers, managers, and anyone interested in the future of web
security. Everything at OWASP is free and open to everyone, and you can
download the latest OWASP Top 10 report for free at:

*http://www.owasp.org/index.php/Top_10 *

Dave Wichers, OWASP Board member and COO of Aspect Security, has managed the
project since its inception. “This year we have revamped the Top 10 to make
it clear that we are talking about risks, not just vulnerabilities. Attempts
to prioritize vulnerabilities without context just don’t make sense. You
can’t make proper business decisions without understanding the threat and
impact to your business.” This new focus on risks is intended to lead
organizations to more mature understanding and management of application
security across their organization.



The time has come to get application security awareness out of the security
community and directly to the people who need to know it most. This year,
our audacious goal is to get the OWASP Top 10 into the hands of *every web
developer in the world* – but we need your help.  We ask anyone reading
this; would you be willing to do one simple thing to help protect the future
of the Internet?  If you know people who write code for the web, could you
forward them the OWASP Top 10 and ask them kindly…



---------------------------------------------------



*Are you familiar with all of the risks in the OWASP Top 10?*

* *

*Will you make a commitment today to protect your code against the OWASP Top
10?*



---------------------------------------------------



For too long, many organizations have relied exclusively on an occasional
scan or penetration test to gain assurance for their internal and external
web applications. This approach is expensive and doesn't provide much in the
way of coverage. Like other types of security, application security requires
a risk management program that provides visibility across the entire
portfolio and strategic controls to improve security. If your organization
is ready to tackle application security, there are dozens of free books,
tools, projects, forums, mailing lists, and more at OWASP. You can also join
one of over 180 local chapters worldwide or attend our high quality and
inexpensive AppSec conferences.



The OWASP Top 10 for 2010 are:

*A1: Injection*

*A2: Cross-Site Scripting (XSS) *

*A3: Broken Authentication and Session Management *

*A4: Insecure Direct Object References *

*A5: Cross-Site Request Forgery (CSRF) *

*A6: Security Misconfiguration *

*A7: Insecure Cryptographic Storage *

*A8: Failure to Restrict URL Access *

*A9: Insufficient Transport Layer Protection*

*A10: Unvalidated Redirects and Forwards *

* *

The 2010 update is based on more sources of web application vulnerability
information than the previous versions were when determining the new Top 10.
It also presents this information in a more concise, compelling, and
consumable manner, and includes strong references to the many new openly
available resources that can help address each issue, particularly OWASP's
new Enterprise Security API (ESAPI)
<http://www.owasp.org/index.php/ESAPI>and Application
Security Verification Standard (ASVS)
<http://www.owasp.org/index.php/ASVS>projects.

ABOUT OWASP

The Open Web Application Security Project (OWASP) is a worldwide free and
open community focused on improving the security of application software.
Our mission is to make application security visible, so that people and
organizations can make informed decisions about true application security
risks. Everyone is free to participate in OWASP and *all of our
materials*are available under a free and open software license. The
OWASP Foundation
is a 501c3 not-for-profit charitable organization that ensures the ongoing
availability and support for our work from our members:
Individuals<http://www.owasp.org/index.php/Template:OWASP_Members_Horizontal>,
Organizational Supporters<http://www.owasp.org/index.php/Template:OWASP_Members_Horizontal>&
Accredited
University Supporters<http://www.owasp.org/index.php/Template:OWASP_Members_Horizontal>
.


Interviews: Jeff Williams – OWASP Chair and Top 10 Project Founder (
jeff.williams at owasp.,org)

Interviews: Dave Wichers – OWASP Board Member and Top 10 Project Lead (
dave.wichers at owasp.org)
Contact:  Lorna Alamri – Connections Committee (lorna.alamri at owasp.org)
Company Name:  Open Web Application Security Project (OWASP)
Web site address:  http://www.owasp.org

-- 
Regards,
Mohd Fazli Azran
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-malaysia/attachments/20100417/60c14b0f/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OWASP T10 - 2010.pdf
Type: application/pdf
Size: 2636872 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-malaysia/attachments/20100417/60c14b0f/attachment-0001.pdf