[Owasp-topten] [Owasp-leaders] OWASP Top 10 - 2013 Release Candidate Now Available

Dennis Groves dennis.groves at owasp.org
Fri Feb 15 20:06:43 UTC 2013


### The OWASP Top 19.

The [OWASP Top Ten](https://www.owasp.org/index.php/Top_10_2010) became 
the defacto standard in 2005 when PCI Security Standards Council. "About 
the PCI Data Security Standard (PCI DSS)" endorsed it as a requirement 
for PCI DSS compliance. OWASP revises the Top 10 every 2 years to keep 
it current with the threat landscape. Here is the complete OWASP Top 19:

OWASP Top 19 | 2004 | 2007 | 2010 | 2013
-------------|------|------|------|----
Unvalidated Input | A01 | --- | --- | ---
Broken Access Control | A02 | --- | --- | ---
Broken Authentication & Session Management | A03 | A07 | A03 | A02
Cross Site Scripting (XSS) | A04 | A01 | A02 | A03
Buffer Overflow | A05 | --- | --- | ---
Injection Flaws | A06 |  A02 | A01 | A01
Information Leakage & Improper Error Handling | A07 | A06 | --- |---
Insecure Storage | A08 | A08 | A07 | ---
Application Denial of Service |  A09 | --- | --- | ---
Insecure Configuration Management | A10 | --- | A06 | A05
Malicious File Execution | --- | A03 | --- | ---
Insecure Direct Object Reference | --- | A04 | A04 | A04
Cross Site Request Forgery (CSRF) | --- | A05 | A05 | A08
Insecure Communications | --- | A09 | A09 | ---
Failure to Restrict URL Access | --- | A10 | A08 | ---
Unvalidated Redirects and Forwards | --- | --- | A10 | A10
Sensitive Data Exposure| --- | --- | --- | A06
Missing Function Level Access Control | --- | --- | --- | A07
Using Known Vulnerable Components | --- | --- | --- | A09

Do you notice a pattern? I do, remove 3 things and add three new ones, 
which are really just new words for the old things, and flavor the 
document with a new colour! I can even predict the 2015 top 10, we can 
start picking three from the list, that have been haven't appeared since 
2007 and change the colour to brown.

I am a bit disappointed that something so visible and so important to 
**Aspect, Trustwave and WhiteHat** is nothing more than a luke warm make 
over of material from 2007 essentially thrown together. How about some 
root cause analysis? The OWASP Top 19 looks like 3 issues to me from a 
root cause analysis perspective. *I'll even give you a hint: Identity 
management, access control and input validation, but not in that order.*

This is perhaps the most visible and important project; it seems to me 
we could and should be doing a lot more that just repackaging the same 
thing all the time.

**The whole world is watching and this is a big opportunity to make a 
difference, I think it deservers more than a luke warm make-over.**





Dennis

-- 
[Dennis Groves](http://about.me/dennis.groves), MSc
[Email me](mailto:dennis.groves at owasp.org) or [schedule a 
meeting](http://goo.gl/8sPIy).

*This email is licensed under a [CC BY-ND 
3.0](http://creativecommons.org/licenses/by-nd/3.0/deed.en_GB) license.*

**Please do not send me Microsoft Office/Apple iWork documents.**
Send [OpenDocument](http://fsf.org/campaigns/opendocument/) instead!
Stand up for your freedom to install [free 
software](http://www.fsf.org/campaigns/secure-boot/statement).

> The idea that some lives matter less is the root of all that’s wrong 
> with the world. -- Paul Farmer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20130215/a1c38cf9/attachment-0001.html>


More information about the Owasp-topten mailing list