[Owasp-leaders] 2010 OWASP Top 10 being officially released on Monday, April 19.

Tom Brennan - OWASP tomb at owasp.org
Sat Apr 17 09:01:33 EDT 2010


Dave It's WhiteHat Security Inc.
(Www.whitehatsec.com )Please fix or marketing will have my head ;)


Sent from my iPhone

On Apr 16, 2010, at 7:06 PM, "Dave Wichers" <dave.wichers at owasp.org>  
wrote:

> OWASP Leaders,
>
>
>
> Attached is an internal release of the final OWASP Top 10 for 2010.  
> We are providing this as a sneak preview for all of you and we are  
> asking for your help. Please do not release this publically until  
> Monday after the press release goes out (listed below). Feel free to  
> forward to press contacts and other writers.
>
>
>
> As you can see in the press release, we are trying hard to expand  
> our audience beyond the security community to reach the people that  
> matter the most, the developers that are producing all the  
> applications we are so concerned about.
>
>
>
> Please help us make sure every developer in the ENTIRE WORLD knows  
> about the OWASP Top 10 by helping to spread the world. Please blog,  
> tweet, e-mail, post, speak about, and forward the OWASP Top 10 to  
> everyone who you think needs to be aware of this, particularly  
> developers. Discuss it at your chapter meetings, offer to give talks  
> about it at your local university, etc. and please reuse my OWASP DC  
> Conference presentation on the Top 10, which I will update soon to  
> reflect the final release.
>
>
>
> As you help us spread the word, please emphasize:
>
> ·       The new Top 10 is about managing risk, not just avoiding vul 
> nerabilities
>
> ·       OWASP is reaching out to developers, not just the applicatio 
> n security community
>
> ·       To manage these risks, organizations need an application ris 
> k management program, not just awareness training, app testing, and  
> remediation
>
>
>
> We need to encourage organizations to get off the penetrate and  
> patch mentality. As Jeff Williams said in his 2009 OWASP AppSec DC  
> Keynote: “we’ll never hack our way secure – it’s going to  
> take a culture change” for organizations to properly address applica 
> tion security.
>
>
>
> Thank you for your help.
>
>
>
> Thanks, Dave
>
>
>
> p.s. I wanted to also take a moment to thank all of you for your  
> significant contributions to OWASP and the application security  
> community. Its all of you that make OWASP so great.
>
>
>
> Dave Wichers
>
> OWASP Board Member, OWASP Conferences Chair, and OWASP Top 10  
> Project Lead
>
>
>
>
>
> <image001.png>
>
>
>
> FOR IMMEDIATE RELEASE:
>
> OWASP TOP 10 FOR 2010 RELEASED
> Will You Help Us Reach Every Web Developer in the World?
>
> Columbia, MD 4/19/2010 —
>
>
> Since 2003, application security researchers and experts from all  
> over the world at the Open Web Application Security Project (OWASP)  
> have carefully monitored the state of web application security and  
> produced an awareness document that is acknowledged and relied on by  
> organizations worldwide, including the PCI, DOD, FTC, and countless  
> others.
>
>
>
> Today, OWASP has released an updated report capturing the top ten  
> risks associated with the use of web applications in an enterprise.  
> This colorful 22 page report is packed with examples and details  
> that explain these risks to software developers, managers, and  
> anyone interested in the future of web security. Everything at OWASP  
> is free and open to everyone, and you can download the latest OWASP  
> Top 10 report for free at:
>
> http://www.owasp.org/index.php/Top_10
>
> Dave Wichers, OWASP Board member and COO of Aspect Security, has  
> managed the project since its inception. “This year we have revamped 
>  the Top 10 to make it clear that we are talking about risks, not ju 
> st vulnerabilities. Attempts to prioritize vulnerabilities without c 
> ontext just don’t make sense. You can’t make proper business  
> decisions without understanding the threat and impact to your busine 
> ss.” This new focus on risks is intended to lead organizations to mo 
> re mature understanding and management of application security acros 
> s their organization.
>
>
>
> The time has come to get application security awareness out of the  
> security community and directly to the people who need to know it  
> most. This year, our audacious goal is to get the OWASP Top 10 into  
> the hands of every web developer in the world – but we need your hel 
> p.  We ask anyone reading this; would you be willing to do one simpl 
> e thing to help protect the future of the Internet?  If you know peo 
> ple who write code for the web, could you forward them the OWASP Top 
>  10 and ask them kindly…
>
>
>
> ---------------------------------------------------
>
>
>
> Are you familiar with all of the risks in the OWASP Top 10?
>
>
>
> Will you make a commitment today to protect your code against the  
> OWASP Top 10?
>
>
>
> ---------------------------------------------------
>
>
>
> For too long, many organizations have relied exclusively on an  
> occasional scan or penetration test to gain assurance for their  
> internal and external web applications. This approach is expensive  
> and doesn't provide much in the way of coverage. Like other types of  
> security, application security requires a risk management program  
> that provides visibility across the entire portfolio and strategic  
> controls to improve security. If your organization is ready to  
> tackle application security, there are dozens of free books, tools,  
> projects, forums, mailing lists, and more at OWASP. You can also  
> join one of over 180 local chapters worldwide or attend our high  
> quality and inexpensive AppSec conferences.
>
>
>
> The OWASP Top 10 for 2010 are:
>
> A1: Injection
>
> A2: Cross-Site Scripting (XSS)
>
> A3: Broken Authentication and Session Management
>
> A4: Insecure Direct Object References
>
> A5: Cross-Site Request Forgery (CSRF)
>
> A6: Security Misconfiguration
>
> A7: Insecure Cryptographic Storage
>
> A8: Failure to Restrict URL Access
>
> A9: Insufficient Transport Layer Protection
>
> A10: Unvalidated Redirects and Forwards
>
>
>
> The 2010 update is based on more sources of web application  
> vulnerability information than the previous versions were when  
> determining the new Top 10. It also presents this information in a  
> more concise, compelling, and consumable manner, and includes strong  
> references to the many new openly available resources that can help  
> address each issue, particularly OWASP's new Enterprise Security API  
> (ESAPI) and Application Security Verification Standard (ASVS)  
> projects.
>
> ABOUT OWASP
>
> The Open Web Application Security Project (OWASP) is a worldwide  
> free and open community focused on improving the security of  
> application software. Our mission is to make application security  
> visible, so that people and organizations can make informed  
> decisions about true application security risks. Everyone is free to  
> participate in OWASP and all of our materials are available under a  
> free and open software license. The OWASP Foundation is a 501c3 not- 
> for-profit charitable organization that ensures the ongoing  
> availability and support for our work from our members: Individuals,  
> Organizational Supporters & Accredited University Supporters.
>
>
> Interviews: Jeff Williams – OWASP Chair and Top 10 Project Founder ( 
> jeff.williams at owasp.,org)
>
> Interviews: Dave Wichers – OWASP Board Member and Top 10 Project Lea 
> d (dave.wichers at owasp.org)
>
> Contact:  Lorna Alamri – Connections Committee (lorna.alamri at owasp.o 
> rg)
> Company Name:  Open Web Application Security Project (OWASP)
> Web site address:  http://www.owasp.org
>
>
>
>
>
> # # #
>
>
> <OWASP T10 - 2010.pdf>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20100417/82d70347/attachment.html 


More information about the OWASP-Leaders mailing list