[Owasp-leaders] 2010 OWASP Top 10 being officially released on Monday, April 19.

Konstantinos Papapanagiotou conpap at di.uoa.gr
Sat Apr 17 12:35:49 EDT 2010

Hi all,

Congratulations for the release!

Where can we get the "source" document in order to start translating?


Kostas Papapanagiotou
OWASP Greek Chapter

At Saturday, April 17, 2010, 2:06:01 AM, you wrote:

> OWASP Leaders,
> Attached is an internal release of the final OWASP Top 10 for 2010.
> We are providing this as a sneak preview for all of you and we are
> asking for your help. Please do not release this publically until
> Monday after the press release goes out (listed below). Feel free to
> forward to press contacts and other writers.
> As you can see in the press release, we are trying hard to expand our
> audience beyond the security community to reach the people that matter
> the most, the developers that are producing all the applications we are so concerned about.
> Please help us make sure every developer in the ENTIRE WORLD knows
> about the OWASP Top 10 by helping to spread the world. Please blog,
> tweet, e-mail, post, speak about, and forward the OWASP Top 10 to
> everyone who you think needs to be aware of this, particularly
> developers. Discuss it at your chapter meetings, offer to give talks
> about it at your local university, etc. and please reuse my OWASP DC
> Conference presentation on the Top 10, which I will update soon to reflect the final release.
> As you help us spread the word, please emphasize:
> ·       The new Top 10 is about managing risk, not just avoiding vulnerabilities
> ·       OWASP is reaching out to developers, not just the application security community
> ·       To manage these risks, organizations need an application risk
> management program, not just awareness training, app testing, and remediation
> We need to encourage organizations to get off the penetrate and patch
> mentality. As Jeff Williams said in his 2009 OWASP AppSec DC Keynote:
> “we’ll never hack our way secure – it’s going to take a culture
> change” for organizations to properly address application security.
> Thank you for your help.
> Thanks, Dave
> p.s. I wanted to also take a moment to thank all of you for your
> significant contributions to OWASP and the application security
> community. Its all of you that make OWASP so great.
> Dave Wichers
> OWASP Board Member, OWASP Conferences Chair, and OWASP Top 10 Project Lead

> Will You Help Us Reach Every Web Developer in the World?
> Columbia, MD 4/19/2010 — 
> Since 2003, application security researchers and experts from all
> over the world at the Open Web Application Security Project (OWASP)
> have carefully monitored the state of web application security and
> produced an awareness document that is acknowledged and relied on by
> organizations worldwide, including the PCI, DOD, FTC, and countless others.
> Today, OWASP has released an updated report capturing the top ten
> risks associated with the use of web applications in an enterprise.
> This colorful 22 page report is packed with examples and details that
> explain these risks to software developers, managers, and anyone
> interested in the future of web security. Everything at OWASP is free
> and open to everyone, and you can download the latest OWASP Top 10 report for free at:
> http://www.owasp.org/index.php/Top_10 
> Dave Wichers, OWASP Board member and COO of Aspect Security, has
> managed the project since its inception. “This year we have revamped
> the Top 10 to make it clear that we are talking about risks, not just
> vulnerabilities. Attempts to prioritize vulnerabilities without
> context just don’t make sense. You can’t make proper business
> decisions without understanding the threat and impact to your
> business.” This new focus on risks is intended to lead organizations
> to more mature understanding and management of application security across their organization.
> The time has come to get application security awareness out of the
> security community and directly to the people who need to know it
> most. This year, our audacious goal is to get the OWASP Top 10 into
> the hands of every web developer in the world – but we need your help.
> We ask anyone reading this; would you be willing to do one simple
> thing to help protect the future of the Internet?  If you know people
> who write code for the web, could you forward them the OWASP Top 10 and ask them kindly…
> ---------------------------------------------------
> Are you familiar with all of the risks in the OWASP Top 10?
> Will you make a commitment today to protect your code against the OWASP Top 10?
> ---------------------------------------------------
> For too long, many organizations have relied exclusively on an
> occasional scan or penetration test to gain assurance for their
> internal and external web applications. This approach is expensive and
> doesn't provide much in the way of coverage. Like other types of
> security, application security requires a risk management program that
> provides visibility across the entire portfolio and strategic controls
> to improve security. If your organization is ready to tackle
> application security, there are dozens of free books, tools, projects,
> forums, mailing lists, and more at OWASP. You can also join one of
> over 180 local chapters worldwide or attend our high quality and inexpensive AppSec conferences.
> The OWASP Top 10 for 2010 are:
> A1: Injection 
> A2: Cross-Site Scripting (XSS) 
> A3: Broken Authentication and Session Management 
> A4: Insecure Direct Object References 
> A5: Cross-Site Request Forgery (CSRF) 
> A6: Security Misconfiguration 
> A7: Insecure Cryptographic Storage 
> A8: Failure to Restrict URL Access 
> A9: Insufficient Transport Layer Protection
> A10: Unvalidated Redirects and Forwards 
> The 2010 update is based on more sources of web application
> vulnerability information than the previous versions were when
> determining the new Top 10. It also presents this information in a
> more concise, compelling, and consumable manner, and includes strong
> references to the many new openly available resources that can help
> address each issue, particularly OWASP's new Enterprise Security API
> (ESAPI) and Application Security Verification Standard (ASVS) projects.
> The Open Web Application Security Project (OWASP) is a worldwide free
> and open community focused on improving the security of application
> software. Our mission is to make application security visible, so that
> people and organizations can make informed decisions about true
> application security risks. Everyone is free to participate in OWASP
> and all of our materials are available under a free and open software
> license. The OWASP Foundation is a 501c3 not-for-profit charitable
> organization that ensures the ongoing availability and support for our
> work from our members: Individuals, Organizational Supporters & Accredited University Supporters.
> Interviews: Jeff Williams – OWASP Chair and Top 10 Project Founder (jeff.williams at owasp.,org)
> Interviews: Dave Wichers – OWASP Board Member and Top 10 Project Lead (dave.wichers at owasp.org)
> Contact:  Lorna Alamri – Connections Committee (lorna.alamri at owasp.org)
> Company Name:  Open Web Application Security Project (OWASP)
> Web site address:  http://www.owasp.org 
> # # #


More information about the OWASP-Leaders mailing list