[Owasp-topten] [Owasp-leaders] OWASP Top 10 - 2013 Release Candidate Now Available
tobias.gondrom at owasp.org
Mon Feb 18 12:45:56 UTC 2013
thanks a lot for the update of the OWASP Top-Ten.
I have to agree a bit with Dennis, that we should do more ("than
potentially just repackaging the same thing all the time").
And I am still not fully in line with the fact that we remove 2010.A9
from the list as I believe that this risk is still a significant
problem. Although we fixed part of it with RFC6797 (HSTS), and key
pinning, this is far from over! And until all these things have been
widely implemented (which could still take a while).
Best regards, Tobias
On 16/02/13 04:06, Dennis Groves wrote:
> The OWASP Top 10.
> The OWASP Top Ten <https://www.owasp.org/index.php/Top_10_2010> became
> the defacto standard in 2005 when PCI Security Standards Council.
> "About the PCI Data Security Standard (PCI DSS)" endorsed it as a
> requirement for PCI DSS compliance. OWASP revises the Top 10 every 2
> years to keep it current with the threat landscape. Here is the
> complete OWASP Top 19:
> OWASP Top 19 2004 2007 2010 2013
> Unvalidated Input A01 --- --- ---
> Broken Access Control A02 --- --- ---
> Broken Authentication & Session Management A03 A07 A03 A02
> Cross Site Scripting (XSS) A04 A01 A02 A03
> Buffer Overflow A05 --- --- ---
> Injection Flaws A06 A02 A01 A01
> Information Leakage & Improper Error Handling A07 A06 --- ---
> Insecure Storage A08 A08 A07 ---
> Application Denial of Service A09 --- --- ---
> Insecure Configuration Management A10 --- A06 A05
> Malicious File Execution --- A03 --- ---
> Insecure Direct Object Reference --- A04 A04 A04
> Cross Site Request Forgery (CSRF) --- A05 A05 A08
> Insecure Communications --- A09 A09 ---
> Failure to Restrict URL Access --- A10 A08 ---
> Unvalidated Redirects and Forwards --- --- A10 A10
> Sensitive Data Exposure --- --- --- A06
> Missing Function Level Access Control --- --- --- A07
> Using Known Vulnerable Components --- --- --- A09
> Do you notice a pattern? I do, remove 3 things and add three new ones,
> which are really just new words for the old things, and flavor the
> document with a new colour! I can even predict the 2015 top 10, we can
> start picking three from the list, that have been haven't appeared
> since 2007 and change the colour to brown.
> I am a bit disappointed that something so visible and so important to
> *Aspect, Trustwave and WhiteHat* is nothing more than a luke warm make
> over of material from 2007 essentially thrown together. How about some
> root cause analysis? The OWASP Top 19 looks like 3 issues to me from a
> root cause analysis perspective. /I'll even give you a hint: Identity
> management, access control and input validation, but not in that order./
> This is perhaps the most visible and important project; it seems to me
> we could and should be doing a lot more that just repackaging the same
> thing all the time.
> *The whole world is watching and this is a big opportunity to make a
> difference, I think it deservers more than a luke warm make-over.*
> Dennis Groves <http://about.me/dennis.groves>, MSc
> Email me <mailto:dennis.groves at owasp.org> or schedule a meeting
> /This email is licensed under a CC BY-ND 3.0
> <http://creativecommons.org/licenses/by-nd/3.0/deed.en_GB> license./
> *Please do not send me Microsoft Office/Apple iWork documents.*
> Send OpenDocument <http://fsf.org/campaigns/opendocument/> instead!
> Stand up for your freedom to install free software
> The idea that some lives matter less is the root of all that's
> wrong with the world. -- Paul Farmer
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-topten