[Owasp-topten] OWASP Top 10 2009

Steven M. Christey coley at linus.mitre.org
Mon May 18 14:43:30 EDT 2009

On Mon, 18 May 2009, Achim Hoffmann wrote:

> the Top 10 are "the most common web application security flaws", they
> do not distinguish threats, weakness, vulnerability, attack, impact or
> risk. Also "bucket" is rarely used in this context (at least I've not
> seen it yet). So XSS and SQLI make sense as different topics. As XSS
> still is the most common flaw, while SQLI is not that common, it makes
> sense to mention SQLI under Injection Flaws.

Just a data point, SQL injection will almost certainly be the number one
reported issue in CVE for all of 2008 (although the rankings aren't final
yet, SQL injection is so far ahead that nothing else can catch it.)  The
OWASP Top 10 2009 will use other inputs besides CVE though, so this is
just an observation.

- Steve

More information about the Owasp-topten mailing list