[Owasp-leaders] OWASP Top 10 - 2013 Release Candidate Now Available

Abbas Naderi abbas.naderi at owasp.org
Fri Feb 15 20:08:21 UTC 2013


Well I just sent a list of suggestions for the new one to the appropriate mailing list. Hope to spark a discussion there.
-Abbas
On ۲۷ بهمن ۱۳۹۱, at ۲۳:۳۵, "Dennis Groves" <dennis.groves at owasp.org> wrote:

> The OWASP Top 19.
> 
> The OWASP Top Ten became the defacto standard in 2005 when PCI Security Standards Council. "About the PCI Data Security Standard (PCI DSS)" endorsed it as a requirement for PCI DSS compliance. OWASP revises the Top 10 every 2 years to keep it current with the threat landscape. Here is the complete OWASP Top 19:
> 
> OWASP Top 19	2004	2007	2010	2013
> Unvalidated Input	A01	---	---	---
> Broken Access Control	A02	---	---	---
> Broken Authentication & Session Management	A03	A07	A03	A02
> Cross Site Scripting (XSS)	A04	A01	A02	A03
> Buffer Overflow	A05	---	---	---
> Injection Flaws	A06	A02	A01	A01
> Information Leakage & Improper Error Handling	A07	A06	---	---
> Insecure Storage	A08	A08	A07	---
> Application Denial of Service	A09	---	---	---
> Insecure Configuration Management	A10	---	A06	A05
> Malicious File Execution	---	A03	---	---
> Insecure Direct Object Reference	---	A04	A04	A04
> Cross Site Request Forgery (CSRF)	---	A05	A05	A08
> Insecure Communications	---	A09	A09	---
> Failure to Restrict URL Access	---	A10	A08	---
> Unvalidated Redirects and Forwards	---	---	A10	A10
> Sensitive Data Exposure	---	---	---	A06
> Missing Function Level Access Control	---	---	---	A07
> Using Known Vulnerable Components	---	---	---	A09
> Do you notice a pattern? I do, remove 3 things and add three new ones, which are really just new words for the old things, and flavor the document with a new colour! I can even predict the 2015 top 10, we can start picking three from the list, that have been haven't appeared since 2007 and change the colour to brown.
> 
> I am a bit disappointed that something so visible and so important to Aspect, Trustwave and WhiteHat is nothing more than a luke warm make over of material from 2007 essentially thrown together. How about some root cause analysis? The OWASP Top 19 looks like 3 issues to me from a root cause analysis perspective. I'll even give you a hint: Identity management, access control and input validation, but not in that order.
> 
> This is perhaps the most visible and important project; it seems to me we could and should be doing a lot more that just repackaging the same thing all the time.
> 
> The whole world is watching and this is a big opportunity to make a difference, I think it deservers more than a luke warm make-over.
> 
> Dennis
> 
> Dennis Groves, MSc
> Email me or schedule a meeting.
> 
> This email is licensed under a CC BY-ND 3.0 license.
> 
> Please do not send me Microsoft Office/Apple iWork documents.
> Send OpenDocument instead!
> Stand up for your freedom to install free software.
> 
> The idea that some lives matter less is the root of all that’s wrong with the world. -- Paul Farmer
> 
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130215/2a88c933/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4889 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130215/2a88c933/attachment.bin>


More information about the OWASP-Leaders mailing list