martes, 20 de abril de 2010

Nuevo OWASP Top 10 año 2010 (Version Final)


On April 19, 2010 we released the final version of the OWASP Top 10 for 2010, and here is the associated press release. This version was updated based on numerous comments received during the comment period after the release candidate was released in Nov. 2009.

OWASP_Top_10_-_2010.pdf (Google Code)
OWASP_Top_10_-_2010.pdf(Google Docs)


The OWASP Top 10 Web Application Security Risks for 2010 are:

  • A1: Injection
  • A2: Cross-Site Scripting (XSS)
  • A3: Broken Authentication and Session Management
  • A4: Insecure Direct Object References
  • A5: Cross-Site Request Forgery (CSRF)
  • A6: Security Misconfiguration
  • A7: Insecure Cryptographic Storage
  • A8: Failure to Restrict URL Access
  • A9: Insufficient Transport Layer Protection
  • A10: Unvalidated Redirects and Forwards

Please help us make sure every developer in the ENTIRE WORLD knows about the OWASP Top 10 by helping to spread the world!!!
As you help us spread the word, please emphasize:
- OWASP is reaching out to developers, not just the application security community
- The Top 10 is about managing risk, not just avoiding vulnerabilities
- To manage these risks, organizations need an application risk management program, not just awareness training, app testing, and remediation
We need to encourage organizations to get off the penetrate and patch mentality. As Jeff Williams said in his 2009 OWASP AppSec DC Keynote: “we’ll never hack our way secure – it’s going to take a culture change” for organizations to properly address application security.


Segun la web del proyecto, la traduccion al español del OWASP Top 10 2010 ya esta en proceso.


Comparacion con version anterior del Top Ten:

No hay comentarios: