miércoles, 12 de junio de 2013

The final version of the OWASP Top 10 for 2013 is available

Como complemnto al post "OWASP Top 10 2013" les informamos que se publico la version final del TOP 10 2013:

The OWASP Top Ten provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. Versions of the 2007 and 2010 Top 10 were translated into English, French, Spanish, Japanese, Korean and Turkish and other languages.

The OWASP Top 10 - 2013 is as follows:
  • A1 Injection
  • A2 Broken Authentication and Session Management
  • A3 Cross-Site Scripting (XSS)
  • A4 Insecure Direct Object References
  • A5 Security Misconfiguration
  • A6 Sensitive Data Exposure
  • A7 Missing Function Level Access Control
  • A8 Cross-Site Request Forgery (CSRF)
  • A9 Using Known Vulnerable Components
  • A10 Unvalidated Redirects and Forwards
  •  
    We urge all companies to adopt this awareness document within their organization and start the process of ensuring that their web applications do not contain these flaws. Adopting the OWASP Top Ten is perhaps the most effective first step towards changing the software development culture within your organization into one that produces secure code.


    The OWASP Top 10 - 2013 includes the following changes as compared to the 2010 edition:
  • A1 Injection
  • A2 Broken Authentication and Session Management (was formerly 2010-A3)
  • A3 Cross-Site Scripting (XSS) (was formerly 2010-A2)
  • A4 Insecure Direct Object References
  • A5 Security Misconfiguration (was formerly 2010-A6)
  • A6 Sensitive Data Exposure (2010-A7 Insecure Cryptographic Storage and 2010-A9 Insufficient Transport Layer Protection were merged to form 2013-A6)
  • A7 Missing Function Level Access Control (renamed/broadened from 2010-A8 Failure to Restrict URL Access)
  • A8 Cross-Site Request Forgery (CSRF) (was formerly 2010-A5)
  • A9 Using Known Vulnerable Components (new but was part of 2010-A6 – Security Misconfiguration)
  • A10 Unvalidated Redirects and Forwards


  • The final version of the OWASP Top 10 for 2013 is available here: OWASP Top 10 - 2013


    Link relacionados:
    - The Release Candidate for the OWASP Top 10 for 2013 is available here: OWASP Top 10 - 2013 Release Candidate
    - owasptop10