Freely subscribe to our NEWSLETTER

Today, OWASP has released an updated report capturing the top ten risks associated with the use of web applications in an enterprise. This colorful 22 page report is packed with examples and details that explain these risks to software developers, managers, and anyone interested in the future of web security. Everything at OWASP is free and open to everyone, and you can download the latest OWASP Top 10 report for free at:
http://www.owasp.org/index.php/Top_10

Dave Wichers, OWASP Board member and COO of Aspect Security, has managed the project since its inception. “This year we have revamped the Top 10 to make it clear that we are talking about risks, not just vulnerabilities. Attempts to prioritize vulnerabilities without context just don’t make sense. You can’t make proper business decisions without understanding the threat and impact to your business.” This new focus on risks is intended to lead organizations to more mature understanding and management of application security across their organization.

The time has come to get application security awareness out of the security community and directly to the people who need to know it most. This year, our audacious goal is to get the OWASP Top 10 into the hands of every web developer in the world – but we need your help. We ask anyone reading this; would you be willing to do one simple thing to help protect the future of the Internet? If you know people who write code for the web, could you forward them the OWASP Top 10 and ask them kindly…

For too long, many organizations have relied exclusively on an occasional scan or penetration test to gain assurance for their internal and external web applications. This approach is expensive and doesn’t provide much in the way of coverage. Like other types of security, application security requires a risk management program that provides visibility across the entire portfolio and strategic controls to improve security. If your organization is ready to tackle application security, there are dozens of free books, tools, projects, forums, mailing lists, and more at OWASP. You can also join one of over 180 local chapters worldwide or attend our high quality and inexpensive AppSec conferences.

The OWASP Top 10 for 2010 are:
A1: Injection
A2: Cross-Site Scripting (XSS)
A3: Broken Authentication and Session Management
A4: Insecure Direct Object References
A5: Cross-Site Request Forgery (CSRF)
A6: Security Misconfiguration
A7: Insecure Cryptographic Storage
A8: Failure to Restrict URL Access
A9: Insufficient Transport Layer Protection
A10: Unvalidated Redirects and Forwards

The 2010 update is based on more sources of web application vulnerability information than the previous versions were when determining the new Top 10. It also presents this information in a more concise, compelling, and consumable manner, and includes strong references to the many new openly available resources that can help address each issue, particularly OWASP’s new Enterprise Security API (ESAPI) and Application Security Verification Standard (ASVS) projects.