[Owasp-topten] OWASP Top 10 2009
Jeremiah Grossman
jeremiah at whitehatsec.com
Tue May 19 12:09:46 EDT 2009
Hi All,
Beyond what the exactly OWASP Top Ten is a top ten of, its important
to keep in mind how the document has and will be used. First the OWASP
Top Ten is an awareness (marketing) document. This is closely followed
by a digestible prioritized list of action items designed for those
just getting into webappsec, who don't yet know where they stand, and
what they should be internally focused on. As these areas become more
understood to them, the less relevant the document, which to me
signals success.
Having said that, the number of items/vulns/attacks one could focus
attention on WebAppSec is plainly enormous. Our job is to help
newcomers prioritize on a grossly generalized basis. As such, we
should NOT be trying to include everything we can in the Top Ten nor
make the nomenclature anymore confusing to non-experts than it already
is. Instead, we need to make some sacrifices and keeps thing
exceedingly simple.
We should be focusing on issues of prevelance, severity, impact, and
overall likelihood of exploitation. Lets leave the edge cases and
catch-alls out. While many of these data points were limited in the
past, they are no longer so we are benefited where previous OWASP Top
Ten groups were not. Sources of data included, but not limited to:
The 2009 Data Breach Investigations Report
http://securityblog.verizonbusiness.com/2009/04/15/2009-dbir/
The Web Hacking Incidents Database
http://whid.webappsec.org/
WASC Web Application Security Statistics Project
http://www.webappsec.org/projects/statistics/
WhiteHat Website Security Statistics Report
http://www.whitehatsec.com/home/resource/stats.html
Here would be my list (of attacks), in order, as the thing that are
more pressing and plaguing high value websites right now. We'd need to
settle on the exact naming conventions later.
1) SQL Injection
2) Cross-Site Scripting (+ Flash issues)
3) Insecure Direct Object Reference / Predictable Resources Location
4) Authentication/Authorization Bypass
5) Open URL Redirectors
6) Cross Site Request Forgery
7) Insecure Communications / Insufficient Transport Layer Protection
** not an attack
8) Information Leakage and Improper Error Handling (+ Flash issues)
** not an attack
9) Malvertising *JS includes, integrating arbitrary client-side code
in an environment
with limited to no security controls.
10) Password Recovery Attacks (secret questions be gone!)
Thanks all.
More information about the Owasp-topten
mailing list