Forgot your password?
typodupeerror
Security

OWASP Top 10 2013 Released 17

Posted by timothy
from the how-come-letterman-never-reads-these-on-air? dept.
hypnosec writes "OWASP's Top 10, the Open Web Application Security Project's top 10 most critical web application security risks, has been updated and a new list for 2013 published. Last updated back in 2010, the organization has published the new list wherein the importance of cross-site scripting (XSS) and cross-site request forgery (CRSF) has been diluted a little, while risks related to broken session management and authentication have moved up a notch. Code injection, which was the topmost risk in 2010, has retained its position in the updated list. The 2013 Top Ten list (PDF) has been compiled based on half a million vulnerabilities discovered in thousands of applications from hundreds of vendors."
This discussion has been archived. No new comments can be posted.

OWASP Top 10 2013 Released

Comments Filter:
  • Irony (Score:5, Funny)

    by ThatsNotPudding (1045640) on Thursday June 13, 2013 @01:50PM (#43998207)
    The offered list of vulnerabilities is in a pdf.
  • Non-PDF link (Score:4, Informative)

    by Anonymous Coward on Thursday June 13, 2013 @02:03PM (#43998369)
  • The really sad part about the OWASP Top 10 lists is that they don't change very much. In a perfect world, none of the 2010 top 10 would be on this list, because they would be solved, but the fact of the matter is that most organizations don't care.

  • by WaffleMonster (969671) on Thursday June 13, 2013 @04:11PM (#44000155)

    1. I don't understand why XSS and Injection are listed as separate items. XSS attacks are by definition injection attacks. I think separating this out de-emphasizes an important conceptual understanding applicable to a lot more domains than databases and html. To their credit they say as much.

    Referer checking should not have been kept out of the mitigation section for CSRF.

    "Using components with known vulnerabilities" (A9) appears to be a subset of "Security misconfiguration" (A5)

    The Detectibility scale is screwed up in my opinion. Every single item is either average or easy except Difficult designation of 'Using components with known vulnerabilities' (A9)... How hard can it be to check current versions of libraries your system is using? What makes A5 easy and A9 hard?

    "Sensitive data exposure" (A6) I don't think belongs in the list. It is a political item... yea encrypting sounds good but at some point you need to store a decryption key to decrypt what is encrypted - management of keys and physical systems security and infrastructure is important but I'm not sure it fits within the context of the other items which are about preventing specific attacks not about how to make being owned less bad.

    What I think is missing is focus on huge problem of tricking users via phishing / "homographic" attacks. First and foremost the whole concept of typing a password into a web form to login is fundementally fucked up. Its right up there with fake padlock icons displayed on web sites and "two-factor" banking site picturegram logins. The industry needs to fix this shit because they are making things worse by manipulating their users into thinking they are safe with totally irrelevant security assertions which phishers are more than happy to leverage to maximum effect.

    Users should be trained to ONLY type passwords into special dialouges within their browsers. We deseperatly need a web authentication scheme with channel bindings that don't suck ass (e.g. sent in clear or offline brute force attacks). The closest thing to deployed that fits the bill I know of is TLS-SRP.

    • by styrotech (136124)

      The Detectibility scale is screwed up in my opinion. Every single item is either average or easy except Difficult designation of 'Using components with known vulnerabilities' (A9)... How hard can it be to check current versions of libraries your system is using?

      I think they are referring to how easy it is for someone else to figure that out.

"The value of marriage is not that adults produce children, but that children produce adults." -- Peter De Vries

Working...