[Owasp-topten] Thoughts on OWASP Top 10 2009 - Round 1

Jeremiah Grossman jeremiah at whitehatsec.com
Thu Mar 19 17:04:33 EDT 2009

Hi all,

I don't have much value to add on top of the discussion about  
vulnerability prevalence, easy, impact, exploitation likelihood, etc.  
When it comes to building such a list you guys all hit the relevant  

I also think the goal of building the "Top 10 biggest security risks  
to web applications" is worthwhile and feasible. To do so obviously  
we're going to be unable to leverage solid statistics to cover each  
aspect, which is not to say we would be on our own either.  I captured  
many of the recently publicly available reports here:


We can also include data from:

The Web Hacking Incidents Database

WASC Web Application Security Statistics Project

WhiteHat Website Security Statistics Report

Still, we are going to have to rely upon our collective wisdom to fill  
in the gaps. As it stands, here is the current Top Ten 2007 for  

1) Cross Site Scripting
2) Injection Flaws
3) Malicious File Execution
4) Insecure Direct Object Reference
5) Cross Site Request Forgery
6) Information Leakage and Improper Error Handling
7) Broken Authentication and Session Management
8) Insecure Cryptographic Storage
9) Insecure Communications
10) Failure to Restrict URL Access

For my part and experience, off the top of my head I'd like to see the  
following list considered. No particular order:

- Cross Site Scripting
- SQL Injection
- Insecure Direct Object Reference / Predictable Resources Location
- Cross Site Request Forgery
- Clickjacking / UI Redressing
- Insufficient Authorization
- Insecure Communications / Insufficient Transport Layer Protection
- Open URL Redirectors

* Flash application tend to have at least one of a lot of important  
little things that can and do go wrong, but hard to select just one.

* Similar is true for Web Widgets, third-party advertisements, and  
traffic monitoring services. Websites are using more and more of JS  
includes, integrating arbitrary client-side code in an environment  
with limited security controls.

On Mar 18, 2009, at 5:41 PM, Neil Smithline wrote:

> 2009/3/18 Dave Wichers <dave.wichers at aspectsecurity.com>
> I think the Top 10 items and their brief descriptions is more of a  
> management document, than a developer doc. However, the existing doc  
> has lots of details for developers making it less useful as a  
> management document, but not enough detail to be really useful for  
> developers either. Jeff Williams has a suggestion that I like:
> I just want to note that a management-focus on the T10  
> vulnerabilities is a different document than the top 10 application  
> security management mistakes. The latter involves things such as  
> "We'll add security at the end when we add I18N.",  "We have smart  
> engineers so we can let every team worry about security on their  
> own.", and "The most famous is never get involved in a land war in  
> Asia" (oh wait, that's something different ;-)
> Neil
> Personal: http://www.smithline.net
> Voice: 781-754-7628
> Fax: 206-666-5090
> Professional:
> Founder & Senior Security Consultant
> OneStopAppSecurity.com
> https://www.OneStopAppSecurity.com
> (Signature provided with the help of WiseStamp)
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-topten

More information about the Owasp-topten mailing list