miércoles, 23 de diciembre de 2009

OWASP Top 10 - 2010 Release Candidate for comment

Requestfor Comments
plans to release the final public release of the OWASP Top 10 -2010 during the first quarter of 2010 after a final, one-month public comment period ending December 31, 2009.

This release of the OWASPTop 10 marks this project’s eighth year of raising awareness of the importance of application security risks. This release has been significantly revised to clarify the focus on risk. To do this, we’ve detailed the threats, attacks, weaknesses, security controls, technical impacts, and business impacts associated with each risk. By adopting this approach, we hope to provide a model for how organizations can think beyond the ten risks here and figure out the most important risks that their applications create for their business.

Following the final publication of the OWASP Top 10 -2010, the collaborative work of the OWASP community will continue with updates to supporting documents including the OWASP wiki, OWASP Developer’s Guide, OWASP Testing Guide, OWASP Code Review Guide, and the OWASP Prevention Cheat Sheet Series.

  • A1 –Injection
  • A2 –Cross Site Scripting (XSS)
  • A3 –Broken Authentication and Session Management
  • A4 –Insecure Direct Object References
  • A5 –Cross Site Request Forgery (CSRF)
  • A6 –Security Misconfiguration (NEW)
  • A7 –Failure to Restrict URL Access
  • A8 –UnvalidatedRedirects and Forwards (NEW)
  • A9 –Insecure Cryptographic Storage
  • A10 -Insufficient Transport Layer Protection

Two new items appeared in the list, that were not in the Top 10 2007 list: Security Misconfiguration, and Unvalidated Redirects and Forwards. The two items that dropped out of the list are Malicious File Execution and Information Leakage and Improper Error Handling

No hay comentarios: