[Owasp-ireland] OWASP Top 10 2013

Darren Fitzpatrick darren.fitzpatrick at owasp.org
Thu Jun 27 22:35:32 UTC 2013

Hi all,

In case anyone missed it, the official OWASP Top 10 2013 was released
recently and is available here:

>From the release notes:

What Changed From 2010 to 2013?

The threat landscape for applications security constantly changes. Key
factors in this evolution are advances made by attackers, the release of
new technologies with new weaknesses as well as more built in defenses, and
the deployment of increasingly complex systems. To keep pace, we
periodically update the OWASP Top 10. In this 2013 release, we made the
following changes:

   1. Broken Authentication and Session Management moved up in prevalence
   based on our data set,. Probably because this area is being looked at
   harder, not because issues are actually more prevalent. This caused Risks
   A2 and A3 to switch places.
   2. Cross-Site Request Forgery (CSRF) moved down in prevalence based on
   our data set from 2010-A5 to 2013-A8. We believe this is because CSRF has
   been in the OWASP Top 10 for 6 years, and organizations and framework
   developers have focused on it enough to significantly reduce the number of
   CSRF vulnerabilities in real world applications.
   3. We broadened Failure to Restrict URL Access from the 2010 OWASP Top
   10 to be more inclusive:

   +     2010-A8: Failure to Restrict URL Access is now *2013-A7: Missing
   Function Level Access Control* – to cover all of function level access
   control. There are many ways to specify which function is being accessed,
   not just the URL.
   4. We merged and broadened 2010-A7 & 2010-A9 to CREATE: *2013-A6:
   Sensitive Data Exposure*:

   -     This new category was created by merging 2010-A7 – Insecure
   Cryptographic Storage & 2010-A9 - Insufficient Transport Layer Protection,
   plus adding browser side sensitive data risks as well. This new category
   covers sensitive data protection (other than access control which is
   covered by 2013-A4 and 2013-A7) from the moment sensitive data is provided
   by the user, sent to and stored within the application, and then sent back
   to the browser again.
   5. We added: *2013-A9: Using Components with Known Vulnerabilities*:

   +     This issue was mentioned as part of 2010-A6 – Security
   Misconfiguration, but now has a category of its own as the growth and depth
   of component based development has significantly increased the risk of
   using components with known vulnerabilities.

Darren Fitzpatrick
OWASP Ireland Board
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-ireland/attachments/20130627/05e377bb/attachment.html>

More information about the Owasp-ireland mailing list