[Owasp-leaders] 2010 OWASP Top 10 being officially released on Monday, April 19.

Dave Wichers dave.wichers at owasp.org
Fri Apr 16 19:06:01 EDT 2010

OWASP Leaders,


Attached is an internal release of the final OWASP Top 10 for 2010. We are providing this as a sneak preview for all of you and we are asking for your help. Please do not release this publically until Monday after the press release goes out (listed below). Feel free to forward to press contacts and other writers.


As you can see in the press release, we are trying hard to expand our audience beyond the security community to reach the people that matter the most, the developers that are producing all the applications we are so concerned about.


Please help us make sure every developer in the ENTIRE WORLD knows about the OWASP Top 10 by helping to spread the world. Please blog, tweet, e-mail, post, speak about, and forward the OWASP Top 10 to everyone who you think needs to be aware of this, particularly developers. Discuss it at your chapter meetings, offer to give talks about it at your local university, etc. and please reuse my OWASP DC Conference presentation on the Top 10, which I will update soon to reflect the final release.


As you help us spread the word, please emphasize:

·       The new Top 10 is about managing risk, not just avoiding vulnerabilities

·       OWASP is reaching out to developers, not just the application security community

·       To manage these risks, organizations need an application risk management program, not just awareness training, app testing, and remediation


We need to encourage organizations to get off the penetrate and patch mentality. As Jeff Williams said in his 2009 OWASP AppSec DC Keynote: “we’ll never hack our way secure – it’s going to take a culture change” for organizations to properly address application security.


Thank you for your help.


Thanks, Dave


p.s. I wanted to also take a moment to thank all of you for your significant contributions to OWASP and the application security community. Its all of you that make OWASP so great.


Dave Wichers

OWASP Board Member, OWASP Conferences Chair, and OWASP Top 10 Project Lead








Will You Help Us Reach Every Web Developer in the World?


Columbia, MD 4/19/2010 — 


Since 2003, application security researchers and experts from all over the world at the Open Web Application Security Project (OWASP) have carefully monitored the state of web application security and produced an awareness document that is acknowledged and relied on by organizations worldwide, including the PCI, DOD, FTC, and countless others.


Today, OWASP has released an updated report capturing the top ten risks associated with the use of web applications in an enterprise. This colorful 22 page report is packed with examples and details that explain these risks to software developers, managers, and anyone interested in the future of web security. Everything at OWASP is free and open to everyone, and you can download the latest OWASP Top 10 report for free at:

 <http://www.owasp.org/index.php/Top_10> http://www.owasp.org/index.php/Top_10 

Dave Wichers, OWASP Board member and COO of Aspect Security, has managed the project since its inception. “This year we have revamped the Top 10 to make it clear that we are talking about risks, not just vulnerabilities. Attempts to prioritize vulnerabilities without context just don’t make sense. You can’t make proper business decisions without understanding the threat and impact to your business.” This new focus on risks is intended to lead organizations to more mature understanding and management of application security across their organization.


The time has come to get application security awareness out of the security community and directly to the people who need to know it most. This year, our audacious goal is to get the OWASP Top 10 into the hands of every web developer in the world – but we need your help.  We ask anyone reading this; would you be willing to do one simple thing to help protect the future of the Internet?  If you know people who write code for the web, could you forward them the OWASP Top 10 and ask them kindly…




Are you familiar with all of the risks in the OWASP Top 10?


Will you make a commitment today to protect your code against the OWASP Top 10?




For too long, many organizations have relied exclusively on an occasional scan or penetration test to gain assurance for their internal and external web applications. This approach is expensive and doesn't provide much in the way of coverage. Like other types of security, application security requires a risk management program that provides visibility across the entire portfolio and strategic controls to improve security. If your organization is ready to tackle application security, there are dozens of free books, tools, projects, forums, mailing lists, and more at OWASP. You can also join one of over 180 local chapters worldwide or attend our high quality and inexpensive AppSec conferences.


The OWASP Top 10 for 2010 are:

A1: Injection 

A2: Cross-Site Scripting (XSS) 

A3: Broken Authentication and Session Management 

A4: Insecure Direct Object References 

A5: Cross-Site Request Forgery (CSRF) 

A6: Security Misconfiguration 

A7: Insecure Cryptographic Storage 

A8: Failure to Restrict URL Access 

A9: Insufficient Transport Layer Protection

A10: Unvalidated Redirects and Forwards 


The 2010 update is based on more sources of web application vulnerability information than the previous versions were when determining the new Top 10. It also presents this information in a more concise, compelling, and consumable manner, and includes strong references to the many new openly available resources that can help address each issue, particularly OWASP's new  <http://www.owasp.org/index.php/ESAPI> Enterprise Security API (ESAPI) and  <http://www.owasp.org/index.php/ASVS> Application Security Verification Standard (ASVS) projects. 


The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license. The OWASP Foundation is a 501c3 not-for-profit charitable organization that ensures the ongoing availability and support for our work from our members:  <http://www.owasp.org/index.php/Template:OWASP_Members_Horizontal> Individuals,  <http://www.owasp.org/index.php/Template:OWASP_Members_Horizontal> Organizational Supporters &  <http://www.owasp.org/index.php/Template:OWASP_Members_Horizontal> Accredited University Supporters.

Interviews: Jeff Williams – OWASP Chair and Top 10 Project Founder (jeff.williams at owasp.,org)   

Interviews: Dave Wichers – OWASP Board Member and Top 10 Project Lead (dave.wichers at owasp.org)  

Contact:  Lorna Alamri – Connections Committee ( <mailto:lorna.alamri at owasp.org> lorna.alamri at owasp.org)
Company Name:  Open Web Application Security Project (OWASP)
Web site address:   <http://www.owasp.org> http://www.owasp.org 



# # #


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20100416/f6ed12a3/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 27055 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-leaders/attachments/20100416/f6ed12a3/attachment-0001.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OWASP T10 - 2010.pdf
Type: application/pdf
Size: 2636872 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-leaders/attachments/20100416/f6ed12a3/attachment-0001.pdf 

More information about the OWASP-Leaders mailing list