https://wiki.owasp.org/api.php?action=feedcontributions&feedformat=atom&user=Mohannad+ShahatOWASP - User contributions [en]2026-05-06T15:33:17ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=File:OWASP_Top_10_-_2013_Arabic.pdf&diff=165849File:OWASP Top 10 - 2013 Arabic.pdf2014-01-15T10:20:35Z<p>Mohannad Shahat: Blanked the page</p>
<hr />
<div></div>Mohannad Shahathttps://wiki.owasp.org/index.php?title=Saudi_Arabia&diff=165848Saudi Arabia2014-01-15T10:18:38Z<p>Mohannad Shahat: </p>
<hr />
<div>{{Chapter Template|chaptername=Saudi Arabia|extra=The chapter leaders are [mailto:amro@owasp.org Amro AlOlaqi] [mailto:mohannad.shahat@owasp.org Mohannad Shahat] <br />
<paypal>Saudi Arabia</paypal><br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-SA|emailarchives=http://lists.owasp.org/pipermail/owasp-SA}} <br />
<br />
<br> <br />
<br />
== Local News ==<br />
<br />
-----<br />
<br />
The Saudi Chapter is pleased to announce the release of OWASP Top 10 2013 in Arabic. Please share: <br />
https://www.owasp.org/images/6/6a/OWASP_TOP_10_2013_Arabic.pdf<br />
<br />
-----<br />
<br />
The Saudi Chapter is pleased to announce that we've successfully transalted The Zed Attack Proxy (ZAP) to Arabic - you can now download the ZAP 2.2.2 Language Pack 1 from the following link <br />
<br />
https://code.google.com/p/zaproxy/downloads/detail?name=ZAP_2.2.2_language_pack.1.zaplang<br />
<br />
-----<br />
<br />
-------<br />
December - 10th/2013 (Members gathering)<br />
<br />
The agenda for this gathering would be as follows:<br />
<br />
*OWASP introduction for new members <br />
*OWASP Saudi Arabia, event planning for 2014<br />
*OWASP Top 10 translation initiative and discuss the possibility of translating the new testing guide when released. <br />
<br />
Date: 10th of December Time: 18:00 - 19:00<br />
Venue: Costa Coffee, Olaya Street, Riyadh<br />
<br />
Direction: https://maps.google.com.sa/maps?hl=en&sig=BZ4&ie=UTF-8&q=costa+coffee+in+riyadh&fb=1&gl=sacid=0,0,2944591365254196345&ei=OTUeUaOaN8rIswa2x4HYBw&ved=0CAEQ5xgwAA<br />
<br />
-------<br />
'''February - 25th/2013 (Members gathering)'''<br />
<br />
''The agenda for this gathering would be as follows:''<br />
<br />
- Catch up with new members<br />
<br />
- OWASP Saudi Arabia and its involvement with other non-profit organizations<br />
<br />
- Planning for our next conference/technical session<br />
<br />
''Date: 25th of Feb<br />
Time: 18:00 - 19:00<br />
Venue: Costa Coffee, Olaya Street, Riyadh''<br />
<br />
Direction: https://maps.google.com.sa/maps?hl=en&sig=BZ4&ie=UTF-8&q=costa+coffee+in+riyadh&fb=1&gl=sacid=0,0,2944591365254196345&ei=OTUeUaOaN8rIswa2x4HYBw&ved=0CAEQ5xgwAA<br />
<br />
------<br />
<br />
'''Date:''' 24th May 2012, starting at 8:30 PM to 9:30 PM<br />
<br />
'''Agenda:'''<br />
<br />
1- Welcoming to OWASP Sharqiyah ''Jalsah''#1<br />
<br />
2- OWASP?<br />
<br />
3- Discussion: How to Start in Web Application Security?<br />
<br />
3- Closing<br />
<br />
Detailed Agenda document [https://docs.google.com/open?id=0B4eUULYLYNDsLUFOVlJEVkFhRzQ] <br />
<br />
'''Location:'''<br />
<br />
Al-Liwan Coffee Shop in Khobar opposite to SAAD Hospital.<br />
<br />
= <u>'''Application Security and OWASP top 10 - Jeddah'''</u> =<br />
<br />
We'll have a technical session to talk about application security and OWASP top 10, as we'll demonstrate the top critical vulnerabilities against web applications. <br />
<br />
<u>'''The OWASP Top 10 Web Application Security Risks are:'''</u> <br />
<br />
A1: Injection <br />
<br />
----<br />
<br />
A2: Cross-Site Scripting (XSS) <br />
<br />
----<br />
<br />
A3: Broken Authentication and Session Management <br />
<br />
----<br />
<br />
A4: Insecure Direct Object References <br />
<br />
----<br />
<br />
A5: Cross-Site Request Forgery (CSRF) <br />
<br />
----<br />
<br />
A6: Security Misconfiguration <br />
<br />
----<br />
<br />
A7: Insecure Cryptographic Storage <br />
<br />
----<br />
<br />
A8: Failure to Restrict URL Access <br />
<br />
----<br />
<br />
A9: Insufficient Transport Layer Protection <br />
<br />
----<br />
<br />
A10: Unvalidated Redirects and Forwards <br />
<br />
<br> <br />
<br />
'''''Date: 21 Jun 2011''''' <br />
<br />
'''''Location: Rosewood Corniche - Jeddah''''' <br />
<br />
'''''Start: 19:00 End: 21:00''''' <br />
<br />
'''''Speaker: Amro AlOlaqi''''' <br />
<br />
<br> <br />
<br />
If you're interested to attend the session please confirm by sending your information to amro at owasp.org.<br> <br />
<br />
= <u>'''Jeddah meeting'''</u> =<br />
<br />
<u>'''The agenda of the inaugural meeting will be as follows:'''</u> <br />
<br />
1. Introduction to OWASP <br />
<br />
2. Discuss local OWASP awareness and image programs for Jeddah members. <br />
<br />
Date: Sunday, 3, 2010 <br />
<br />
Location: Costa Coffee, alHamrah, Jeddah. <br />
<br />
Sponsored by: SAIS technology <br />
<br />
Please do not hesitate to contact me at amro (at) owasp.org for any clarification or inquires <br />
<br />
= '''Information Security and beyond - Event''' =<br />
<br />
<u>'''Location'''</u> <br />
<br />
Venue: Makarim Hall - Marriott Hotel<br />
<br />
City&nbsp;: Riyadh - KSA<br />
<br />
Date: 25 May 2009<br />
<br />
Time: 08:30 - 15:00<br />
<br />
<br> '''''Seminar Agenda''''' <br />
<br />
08:00 – 08:30 Registration<br />
08:30 – 09:00 Key note ( SAMA Speaker )<br />
09:00 – 10:00 ISO 27001 ( BSI Speaker )<br />
10:00 – 10:20 Refreshment<br />
10:20 – 11:0 Application Security ( Verizon Business Speaker )<br />
11:00 – 12:00 Penetration Testing using OWASP methodology ( OWASP )<br />
12:00 – 12:30 Prayer time<br />
12:30 - 01:20 Enterprise Security ( F5 Speaker )<br />
01:20 – 01:40 Q &amp; A <br />
01:40 – 02:30 Lunch<br />
<br />
<br> '''''Event Speaker''''' <br />
<br />
<br> <br />
<br />
''''Mr. Saqer Al-Orabi Al-Harthi.''' Information System and Control Manager Saudi Arabian Monetary Agency (SAMA) <br />
<br />
Mr. Saqer Al-Orabi Al-Harthi is responsible for the Information System and Control at SAMA – Banking Technology Department. Mr. Al-Harthi has been the chairman of various committees at SAMA such as: SAMA and Banks Information Security Managers Committee, Information Security Awareness Committee and Security Training Committee. Mr. Al-Harthi has been instrumental in building Information Security for the Saudi financial industry by initiating and executing major projects such as SARIE Security, SPAN Security, PKI, and he has been the champion in PCI development within Saudi Arabia along with other security related projects. Furthermore, Mr. Al-Harthi has presented in many IT Security seminars and events. Mr. Al-Harthi holds a Masters degree in Computer and Information System from U.S.A. and he is a Certified Information Security Manager (CISM). <br />
<br />
''''Amro AlOlaqi''' Information Security Consultant&nbsp; <br />
<br />
Amro has more than 7 years of experience in Information security. He started his professional career at early age, since then, he engaged the field of UNIX/Linux engineering and systems’ security. Throughout his extraordinary achievements and accomplishments, he became amongst the most recognized experts in the field of penetration testing, application security and vulnerability assessment within Saudi Arabia. He carried out penetration tests, application , vulnerability assessments and security audits for prestigious organizations. Moreover, his expertise extends across industry verticals, security technologies plus hacking tools and techniques. Amro is the OWASP chapter leader for Saudi Arabia and United Arab Emirates, also he is specialized at cyber crime investigations and digital forensics. Nevertheles, Amro hold well-recognized international certifications such as GCIH, GHTQ, ECSA/LPT, CEH, CHFI, Security+, RHCE, SCSA, Linux+, LPIC1, LPIC2 and SCSECA. <br />
<br />
<br> ''''Theuns Kotze''' Regional Director BSI – Middle East and Africa <br />
<br />
Mr. Kotze holds a B. Comm. Degree from the University of Pretoria. He is currently the Regional Director for BSI – Management Systems in Middle East and Africa. In BSI he was the Sales and Marketing Director for BSI- Management Systems in Europe based in London. He was an Executive Director of Nosa International responsible for Auditing and Certification Globally. During 2002 he developed an Aids management standard now known as AMS 16001. The AMS 16001 is now the South African Standard for Aids management and could become the ISO standard for aids management in future. He gained extensive knowledge and experience in Europe and Middle East in the last 2 years. He conducted more than 2000 assessments on various standards in the last 20 years. Theuns had a private pilot’s license for 20 years and has flown many types of airplanes. He is married to Maria and has a son John 8 and they now live in Dubai. <br />
<br />
'''Ali Akl''' Principal Consultant Verizon Business Security Solutions <br />
<br />
Ali has over 10 years experience in Information Security, Business Continuity and Disaster Recovery. He has a unique blend of technical expertise along with management consulting experience, which has made him a valuable consultant to many organizations in the public and private sectors. He has contributed to the OPM3 standard development project, he is also CISSP and CISM, and has earned the GIAC Fundamentals of Security Policy certificate and recently has earned the Member Status of the Business Continuity Institute as well Certified in Disaster Recovery and Planning and finally he has been invited into the Fellowship Program of the International Multilateral Partnership Against Cyber-Terrorism (‘IMPACT’). <br />
<br />
<br> ''''Zakeer Zubair''' Field Systems Engineer <br />
<br />
Zakeer Zubair is a senior technical team player in F5’s Middle East operation. Since obtaining his Bachelor degree in Mathematics, Zubair has spent the last 9 years working in networking and security for a variety of systems integrators including Schlumberger and Atos Origin. This role has involved integrating best of breed vendor networking and security devices and necessitated skills in routing, switching, security and application switching. Zubair has technical certifications from F5, Cisco, Juniper, Nortel Networks, Extreme Networks, Microsoft and CISSP. <br />
<br />
----<br />
<br />
= '''PCI compliance seminar''' =<br />
<br />
----<br />
<br />
'''Location'''<br />
<br />
Venue: Makarim Hall - Marriott Hotel<br />
<br />
City&nbsp;: Riyadh - KSA<br />
<br />
Date: 2nd March 2009<br />
<br />
Time: 08:30 - 15:00 <br />
<br />
'''Seminar Agenda''' <br />
<br />
08:30 – 09:00 Registration Team<br />
09:00 – 09:30 Introduction<br />
09:30 – 10:20 PCI (Applications Firewalls/SSL VPN) <br />
10:20 – 10:40 Refreshment <br />
10:40 – 11:20 OWASP and PCI compliance <br />
11:20 – 12:10 Application Delivery Controller<br />
12:10 – 12:40 Prayer<br />
12:40 – 01:00 Last Session + Questions +Closing Session<br />
01:00 – 02:00 Lunch<br />
<br />
'''''Speakers''''' <br />
<br />
'''Peter Draper''', Security Specialist: has been providing guidance, design and implementation of Info Sec solutions for some 17+ years. The last ten years have been focused on Application delivery and security with the most recent focus following the main hacking attempts into the Web Application Security space. Peter has been instrumental in delivering Web Application Security into a wide and varied range of customers including finance, government, ecommerce and travel industry companies. Within the Middle East region Peter had delivered solutions to Government, Finance and Corporate customers ensuring the best possible protection is in place to secure customer sensitive data. <br />
<br />
Peter’s presentation will focus on: <br />
<br />
1) What is the “PCI Journey”?<br />
2) What do I need to do and when?<br />
3) Is PCI the only reason to deploy security solutions?<br />
4) Where should I concentrate my $<br />
5) What happens once I have it?<br />
<br />
<br> '''Nigel Ashworth''', F5 MEA Technical Director: has been F5’s Technical Director for Middle East and Africa since September 2005. In that time he has driven the region’s increasing importance to F5’s global business, managing the pre sales engineering team, and investing technical resources in key verticals to drive double-digit sales growth. Nigel has been with F5 for nine years in a number of senior technical roles, including Technical Director responsible for driving EMEA Strategic Alliances with key partners including Microsoft, SAP and Oracle, and Technical Director responsible for pre-sales in Europe. Prior to joining F5, Nigel held technical leadership positions for companies including Reuters and UB Networks. He received his B.S in Electrical Engineering from Portsmouth University. <br />
<br />
<br> <br />
<br />
''''Amro AlOlaqi,&nbsp;'''&nbsp;Information Security Consultant <br>Amro has more than 7 years of experience in Information security. He started his professional career at early age, since then, he engaged the field of UNIX/Linux engineering and systems’ security. Throughout his extraordinary achievements and accomplishments, he became amongst the most recognized experts in the field of penetration testing, application security and vulnerability assessment within Saudi Arabia. He carried out penetration tests, application , vulnerability assessments and security audits for prestigious organizations. Moreover, his expertise extends across industry verticals, security technologies plus hacking tools and techniques. Amro is the OWASP chapter leader for Saudi Arabia and United Arab Emirates, also he is specialized at cyber crime investigations and digital forensics. Nevertheles, Amro hold well-recognized international certifications such as GCIH, GHTQ, ECSA/LPT, CEH, CHFI, Security+, RHCE, SCSA, Linux+, LPIC1, LPIC2 and SCSECA.<br>'''<br>''' <br />
<br />
Amro’s presentation will focus on: <br />
<br />
1) Web application attacks and security trends.<br />
2) OWASP "thinking out of the box".<br />
2) OWASP and application security.<br />
4) The relation between OWASP and PCI.<br />
<br />
[[Category:OWASP_Chapter]]<br />
[[Category:Saudi Arabia]]</div>Mohannad Shahathttps://wiki.owasp.org/index.php?title=Sharqiyah&diff=163038Sharqiyah2013-11-12T09:26:40Z<p>Mohannad Shahat: </p>
<hr />
<div>{{Chapter Template|chaptername=Sharqiyah المنطقة الشرقية, Saudi Arabia|extra=The chapter leader is [mailto:mohannad.shahat@owasp.org Mohannad Shahat].|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-sharqiyah|emailarchives=http://lists.owasp.org/pipermail/owasp-sharqiyah}}<br />
<br />
== Local News ==<br />
---------------------------------------------------------------------------------<br />
This Chapter is now merged with OWASP Saudi Local Chatpter, please join us there<br />
https://www.owasp.org/index.php/Saudi_Arabia<br />
---------------------------------------------------------------------------------<br />
<br />
Everyone is welcome to join us at our chapter meetings.<br />
<br />
Our ''Jalsat'' are informal ones, meaning that you will have to pay for your food and drink. <br />
<br />
== ''Jalsah'' Dates & Locations ==<br />
<br />
'''Jalsah#1'''<br />
<br />
'''Date:''' 24th May 2012, starting at 8:30 PM to 9:30 PM<br />
<br />
'''Agenda:'''<br />
<br />
1- Welcoming to OWASP Sharqiyah ''Jalsah''#1<br />
<br />
2- OWASP?<br />
<br />
3- Discussion: How to Start in Web Application Security?<br />
<br />
3- Closing<br />
<br />
Detailed Agenda document [https://docs.google.com/open?id=0B4eUULYLYNDsLUFOVlJEVkFhRzQ] <br />
<br />
'''Location:'''<br />
<br />
Our first ''Jalsah'' will be @ Al-Liwan Coffee Shop in Khobar opposite to SAAD Hospital.<br />
<googlemap version="0.9" lat="26.30527" lon="50.198545" zoom="18"><br />
26.304529, 50.199103<br />
</googlemap><br />
<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:Saudi Arabia]]</div>Mohannad Shahathttps://wiki.owasp.org/index.php?title=Category:OWASP_Top_Ten_Project&diff=163037Category:OWASP Top Ten Project2013-11-12T09:20:44Z<p>Mohannad Shahat: </p>
<hr />
<div>{{OWASP Book|1400974}} <br />
<br />
{{Social Media Links}}<br />
<br />
= OWASP Top 10 for 2013 =<br />
<br />
'''Welcome to the OWASP Top Ten Project''' - if you're looking for the OWASP Top 10 Mobile [[OWASP_Mobile_Security_Project#tab=Top_Ten_Mobile_Risks | Click Here]]<br />
<br />
On June 12, 2013 the OWASP Top 10 for 2013 was officially released. This version was updated based on numerous comments received during the comment period after the release candidate was released in Feb. 2013.<br />
<br />
* [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf OWASP Top 10 2013 document (PDF)].<br />
* [[Top_10_2013 | OWASP Top 10 2013 - Wiki.]]<br />
* [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013%20-%20French.pdf OWASP Top 10 2013 - French (PDF)].<br />
* [https://www.owasp.org/images/5/51/OWASP_Top_10_2013-Chinese-V1.2.pdf OWASP Top 10 2013 - Chinese (PDF)].<br />
* [https://www.owasp.org/images/2/2c/OWASP_Top_10_-_2013_Final_-_Korean.pdf OWASP Top 10 2013 - Korea (PDF)].<br />
* [http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2013_Brazilian_Portuguese.pdf OWASP Top 10 2013 - Brazilian Portuguese (PDF)].<br />
* [https://www.owasp.org/images/7/79/OWASP_Top_10_2013_JPN.pdf OWASP Top 10 2013 - Japanese (PDF)].<br />
* [https://www.owasp.org/images/6/6a/OWASP_TOP_10_2013_Arabic.pdf OWASP Top 10 2013 - Arabic (PDF)].<br />
* [http://owasptop10.googlecode.com/files/OWASP_Top-10_2013%20-%20Changes-from-2010.pptx OWASP Top 10 2013 Presentation - Focusing on What Changed Since 2010 (PPTX)]<br />
* [http://owasptop10.googlecode.com/files/OWASP_Top-10_2013%20-%20Presentation.pptx OWASP Top 10 2013 Presentation - Presenting Each Item in the Top 10 (PPTX)].<br />
<br />
<br />
The OWASP Top 10 - 2013 is as follows:<br />
<br />
* [[Top_10_2013-A1-Injection | A1 Injection]]<br />
* [[Top_10_2013-A2-Broken_Authentication_and_Session_Management | A2 Broken Authentication and Session Management]]<br />
* [[Top_10_2013-A3-Cross-Site_Scripting_(XSS) | A3 Cross-Site Scripting (XSS)]]<br />
* [[Top_10_2013-A4-Insecure_Direct_Object_References | A4 Insecure Direct Object References]]<br />
* [[Top_10_2013-A5-Security_Misconfiguration | A5 Security Misconfiguration]]<br />
* [[Top_10_2013-A6-Sensitive_Data_Exposure | A6 Sensitive Data Exposure]]<br />
* [[Top_10_2013-A7-Missing_Function_Level_Access_Control | A7 Missing Function Level Access Control]]<br />
* [[Top_10_2013-A8-Cross-Site_Request_Forgery_(CSRF) | A8 Cross-Site Request Forgery (CSRF)]]<br />
* [[Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities | A9 Using Components with Known Vulnerabilities]]<br />
* [[Top_10_2013-A10-Unvalidated_Redirects_and_Forwards | A10 Unvalidated Redirects and Forwards]]<br />
<br />
If you are interested, the methodology for how the Top 10 is produced is now documented here: [[Top_10_2013/ProjectMethodology | OWASP Top 10 Development Methodology]]<br />
<br />
Please help us make sure every developer in the ENTIRE WORLD knows about the OWASP Top 10 by helping to spread the word!!! <br />
<br />
As you help us spread the word, please emphasize: <br />
<br />
*OWASP is reaching out to developers, not just the application security community <br />
*The Top 10 is about managing risk, not just avoiding vulnerabilities <br />
*To manage these risks, organizations need an application risk management program, not just awareness training, app testing, and remediation<br />
<br />
We need to encourage organizations to get off the penetrate and patch mentality. As Jeff Williams said in his 2009 OWASP AppSec DC Keynote: “we’ll never hack our way secure – it’s going to take a culture change” for organizations to properly address application security.<br />
<br />
== Introduction ==<br />
<br />
The OWASP Top Ten provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. Versions of the 2007 and 2010 version were translated into English, French, Spanish, Japanese, Korean and Turkish and other languages. Translation efforts for the 2013 version are underway and they will be posted as they become available. <br />
<br />
We urge all companies to adopt this awareness document within their organization and start the process of ensuring that their web applications do not contain these flaws. Adopting the OWASP Top Ten is perhaps the most effective first step towards changing the software development culture within your organization into one that produces secure code.<br />
<br />
== Changes between 2010 and 2013 Editions ==<br />
<br />
The OWASP Top 10 - 2013 includes the following changes as compared to the 2010 edition:<br />
<br />
* A1 Injection<br />
* A2 Broken Authentication and Session Management (was formerly 2010-A3)<br />
* A3 Cross-Site Scripting (XSS) (was formerly 2010-A2)<br />
* A4 Insecure Direct Object References<br />
* A5 Security Misconfiguration (was formerly 2010-A6)<br />
* A6 Sensitive Data Exposure (2010-A7 Insecure Cryptographic Storage and 2010-A9 Insufficient Transport Layer Protection were merged to form 2013-A6)<br />
* A7 Missing Function Level Access Control (renamed/broadened from 2010-A8 Failure to Restrict URL Access)<br />
* A8 Cross-Site Request Forgery (CSRF) (was formerly 2010-A5)<br />
* A9 Using Components with Known Vulnerabilities (new but was part of 2010-A6 – Security Misconfiguration)<br />
* A10 Unvalidated Redirects and Forwards<br />
<br />
== 2013 Versions ==<br />
<br />
2013 Edition: <br />
<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf OWASP Top 10 2013 - PDF] <br />
*[[Top_10_2013 | OWASP Top 10 2013 - wiki]]<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013%20-%20French.pdf OWASP Top 10 2013 - French (PDF)].<br />
*[https://www.owasp.org/images/5/51/OWASP_Top_10_2013-Chinese-V1.2.pdf OWASP Top 10 2013 - Chinese (PDF)].<br />
*[https://www.owasp.org/images/2/2c/OWASP_Top_10_-_2013_Final_-_Korean.pdf OWASP Top 10 2013 - Korea (PDF)].<br />
*[http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2013_Brazilian_Portuguese.pdf OWASP Top 10 2013 - Brazilian Portuguese (PDF)].<br />
*[https://www.owasp.org/images/7/79/OWASP_Top_10_2013_JPN.pdf OWASP Top 10 2013 - Japanese (PDF)].<br />
*[https://www.owasp.org/images/6/6a/OWASP_TOP_10_2013_Arabic.pdf OWASP Top 10 2013 - Arabic (PDF)].<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013%20-%20RC1.pdf OWASP Top 10 - 2013 - Release Candidate]<br />
*[https://www.owasp.org/images/3/3d/OWASP_Top_10_-_2013_Final_Release_-_Change_Log.docx OWASP Top 10 - 2013 - Final Release - Change Log (docx)]<br />
<br />
== Feedback ==<br />
<br />
Please let us know how your organization is using the Top Ten. Include your name, organization's name, and brief description of how you use the list. Thanks for supporting OWASP! <br />
<br />
We hope you find the information in the OWASP Top Ten useful. Please contribute back to the project by sending your comments, questions, and suggestions to topten@lists.owasp.org Thanks! <br />
<br />
To join the OWASP Top Ten mailing list or view the archives, please visit the [http://lists.owasp.org/mailman/listinfo/owasp-topten subscription page.] <br />
<br />
== Project Sponsors ==<br />
<br />
The OWASP Top Ten project is sponsored by {{MemberLinks|link=http://www.aspectsecurity.com|logo=Aspect_logo_owasp.jpg}}<br />
<br />
<!-- ==== Project Identification ====<br />
{{Template:OWASP OWASP_Top10 Project}} --><br />
<br />
= OWASP Top 10 for 2010 =<br />
<br />
On April 19, 2010 the final version of the OWASP Top 10 for 2010 was released, and here is the associated [[OWASPTop10-2010-PressRelease|press release]]. This version was updated based on numerous comments received during the comment period after the release candidate was released in Nov. 2009. <br />
<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 - 2010 Document] <br />
*[[Top 10 2010|OWASP Top 10 - 2010 - wiki]] <br />
*[http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx OWASP Top 10 - 2010 Presentation]<br />
*[http://blip.tv/owasp-appsec-conference-in-europe/day2_track1_1430-1505-3936900 OWASP Top 10 Video of the Presentation above - this focused alot on the Top 10 for 2010 approach, rather than the details. (From OWASP AppSec EU 2010)]<br />
*[http://www.vimeo.com/9006276 OWASP Top 10 Video of this Presentation when the Top 10 for 2010 was 1st released for comment - this goes through each item in the Top 10. (From OWASP AppSec DC 2009)]<br />
<br />
The OWASP Top 10 Web Application Security Risks for 2010 are: <br />
<br />
*[[Top_10_2010-A1|A1: Injection]]<br />
*[[Top_10_2010-A2|A2: Cross-Site Scripting (XSS)]]<br />
*[[Top_10_2010-A3|A3: Broken Authentication and Session Management]]<br />
*[[Top_10_2010-A4|A4: Insecure Direct Object References]]<br />
*[[Top_10_2010-A5|A5: Cross-Site Request Forgery (CSRF)]]<br />
*[[Top_10_2010-A6|A6: Security Misconfiguration]]<br />
*[[Top_10_2010-A7|A7: Insecure Cryptographic Storage]]<br />
*[[Top_10_2010-A8|A8: Failure to Restrict URL Access]]<br />
*[[Top_10_2010-A9|A9: Insufficient Transport Layer Protection]]<br />
*[[Top_10_2010-A10|A10: Unvalidated Redirects and Forwards]]<br />
<br />
== Introduction ==<br />
<br />
The OWASP Top Ten provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. Versions of the 2007 were translated into English, French, Spanish, Japanese, Korean and Turkish and other languages and the 2010 version was translated into even more languages. See below for all the translated versions.<br />
<br />
== 2010 Versions ==<br />
<br />
2010 Edition: <br />
<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 2010 - PDF] <br />
*[[Top 10 2010|OWASP Top 10 2010 - wiki]]<br />
<br />
2010 Translations: <br />
<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20French.pdf OWASP Top 10 2010 - French PDF] <br />
*[https://www.owasp.org/images/b/b8/OWASPTop10_DE_Version_1_0.pdf OWASP Top 10 2010 - German PDF]<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Indonesian.pdf OWASP Top 10 2010 - Indonesian PDF]<br />
*[http://www.owasp.org/images/f/f9/OWASP_Top_10_-_2010_ITA.pdf OWASP Top 10 2010 - Italian PDF]<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Japanese-A4.pdf OWASP Top 10 2010 - Japanese PDF]<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Korean.pdf OWASP Top 10 2010 - Korean PDF]<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Spanish.pdf OWASP Top 10 2010 - Spanish PDF]<br />
*[http://www.owasp.org/images/8/86/OWASP_Top_10_-_2010_FINAL_%28spanish%29.pptx OWASP Top 10 2010 - Spanish PPT]<br />
*[http://www.owasp.org/images/a/a9/OWASP_Top_10_2010_Chinese_V1.0_Released.pdf OWASP Top 10 2010 - Chinese PDF / 这里下载PDF格式文档]<br />
*[http://owasptop10.googlecode.com/files/OWASPTop%2010%20-%202010%20Vietnamese.pdf OWASP Top 10 2010 - Vietnamese PDF]<br />
*[https://www.owasp.org/images/c/cd/OWASP_Top_10_Heb.pdf OWASP Top 10 2010 - Hebrew PDF]<br />
<br />
2010 Release Candidate: <br />
<br />
*[http://www.owasp.org/index.php/File:OWASP_T10_-_2010_rc1.pdf OWASP Top 10 2010 Release Candidate] <br />
*[http://www.owasp.org/images/e/e1/OWASP_Top_10_RC-Public_Comments.docx OWASP Top 10 2010 Release Candidate Comments], except for one set of scanned comments [http://www.owasp.org/images/2/2e/OWASP_T10_-_2010_rc1_cmts_Kai_Jendrian.pdf which are here].<br />
<br />
Previous versions: <br />
<br />
*[http://www.owasp.org/images/e/e8/OWASP_Top_10_2007.pdf OWASP Top 10 2007 - PDF] <br />
*[[Top 10 2007|OWASP Top 10 2007 - wiki]] <br />
*[http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project#tab=Project_Details OWASP Top 10 2007 - PDF Translations are here] <br />
*[[Top 10 2004|OWASP Top 10 2004 - wiki]]<br />
<br />
<br />
= Translation Efforts =<br />
<br />
Efforts are underway in numerous languages to translate the OWASP Top 10 for 2013. If you are interested in helping, please contact the other members of the team for the language you are interested in contributing to, or if you don't see your language listed, please let me know you want to help and we'll form a volunteer group for your language too!!<br />
<br />
Here is the original source document for the [https://www.owasp.org/images/4/4d/OWASP_Top_10_-_2013_Final_-_English.pptx OWASP Top 10 - 2013 which is in PowerPoint]. Please use this document as the basis for your translation efforts.<br />
<br />
Completed Translations:<br />
<br />
*French 2013: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013%20-%20French.pdf OWASP Top 10 2013 - French PDF] Ludovic Petit: Ludovic.Petit@owasp.org, Sébastien Gioria: Sebastien.Gioria@owasp.org, Erwan Abgrall: g4l4drim@gmail.com, Benjamin Avet: benjamin.avet@gmail.com, Jocelyn Aubert: jocelyn.aubert@owasp.org, Damien Azambour: damien.azambourg@owasp.org, Aline Barthelemy: aline.barthelemy@fr.abb.com, Moulay Abdsamad Belghiti: abdsamad.belghiti@gmail.com, Gregory Blanc: gregory.blanc@gmail.com, Clément Capel: clement.capel@sfr.com, Etienne Capgras: Etienne.capgras@solucom.fr, Julien Cayssol: julien@aqwz.com, Antonio Fontes: antonio.fontes@owasp.org, Ely de Travieso: Ely.detravieso@owasp.org, Nicolas Grégoire: nicolas.gregoire@agarri.fr, Valérie Lasserre: valerie.lasserre@gmx.fr, Antoine Laureau: antoine.laureau@owasp.org, Guillaume Lopes: lopes.guillaume@free.fr, Gilles Morain: gilles.morain@gmail.com, Christophe Pekar: christophe.pekar@owasp.org, Olivier Perret: perrets@free.fr, Michel Prunet: michel.prunet@owasp.org, Olivier Revollat: revollat@gmail.com, Aymeric Tabourin: aymeric.tabourin@orange.com<br />
*Brazilian Portuguese 2013: [http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2013_Brazilian_Portuguese.pdf OWASP Top 10 2013 - Brazilian Portuguese (PDF)] Translated by: Carlos Serrão, Marcio Machry, Ícaro Evangelista de Torres, Carlo Marcelo Revoredo da Silva, Luiz Vieira, Suely Ramalho de Mello, Jorge Olímpia, Daniel Quintão, Mauro Risonho de Paula Assumpção, Marcelo Lopes, Caio Dias, Rodrigo Gularte<br />
*French 2010: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20French.pdf OWASP Top 10 2010 - French PDF] ludovic.petit@owasp.org, sebastien.gioria@owasp.org, antonio.fontes@owasp.org, benoit.guerette@owasp.org, Jocelyn.aubert@owasp.org, Eric.Garreau@gemalto.com, Guillaume.Huysmans@gemalto.com <br />
*German: [https://www.owasp.org/images/b/b8/OWASPTop10_DE_Version_1_0.pdf OWASP Top 10 - German PDF] top10@owasp.de which is Frank Dölitzscher, Torsten Gigler, Tobias Glemser, Dr. Ingo Hanke, Thomas Herzog, [[User:Kai_Jendrian|Kai Jendrian]], [[User:Ralf_Reinhardt|Ralf Reinhardt]], Michael Schäfer<br />
*Indonesian: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Indonesian.pdf OWASP Top 10 2010 - Indonesian PDF] Tedi Heriyanto (coordinator), Lathifah Arief, Tri A Sundara, Zaki Akhmad<br />
*Italian: [http://www.owasp.org/images/f/f9/OWASP_Top_10_-_2010_ITA.pdf OWASP Top 10 2010 - Italian PDF] Simone Onofri, Paolo Perego, Massimo Biagiotti, Edoardo Viscosi, Salvatore Fiorillo, Roberto Battistoni, Loredana Mancini, Michele Nesta, Paco Schiaffella, Lucilla Mancini, Gerardo Di Giacomo, Valentino Squilloni<br />
*Japanese: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Japanese-A4.pdf OWASP Top 10 2010 - Japanese PDF] cecil.su@owasp.org, Dr. Masayuki Hisada, Yoshimasa Kawamoto, Ryusuke Sakamoto, Keisuke Seki, Shin Umemoto, Takashi Arima<br />
*Korean 2013: [https://www.owasp.org/images/2/2c/OWASP_Top_10_-_2013_Final_-_Korean.pdf OWASP Top 10 2013 - Korean PDF] (이름가나다순) 김병효:byounghyo.kim@owasp.org, 김지원:jiwon.kim@owasp.or.kr, 김효근:katuri@katuri.kr, 박정훈:xelion@gmail.com, 성영모:youngmo.seong@owasp.or.kr, 성윤기:yune.sung@owasp.org, 송보영:boyoung.song@owasp.or.kr, 송창기:factor7@naver.com, 유정호:griphis77@gmail.com, 장상민:sangmin.jang@owasp.or.kr, 전영재:youngjae.jeon@owasp.org, 정가람:tgcarrot@gmail.com, 정홍순:jhs728@gmail.com, 조민재:johnny.cho@owasp.org,허성무:issimplenet@gmail.com<br />
*Korean 2010: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Korean.pdf OWASP Top 10 2010 - Korean PDF] Hyungkeun Park, (mirrk1@gmail.com)<br />
*Spanish: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Spanish.pdf OWASP Top 10 2010 - Spanish PDF] *Daniel Cabezas Molina , Edgar Sanchez, Juan Carlos Calderon, Jose Antonio Guasch, Paulo Coronado, Rodrigo Marcos, Vicente Aguilera<br />
*Chinese: [http://www.owasp.org/images/a/a9/OWASP_Top_10_2010_Chinese_V1.0_Released.pdf OWASP Top 10 2010 - Chinese PDF] 感谢以下为中文版本做出贡献的翻译人员和审核人员: Rip Torn, 钟卫林, 高雯, 王颉, 于振东<br />
*Vietnamese: [http://owasptop10.googlecode.com/files/OWASPTop%2010%20-%202010%20Vietnamese.pdf OWASP Top 10 2010 - Vietnamese PDF] (NEW) Translation lead by Cecil Su - Translation Team: Dang Hoang Vu, Nguyen Ba Tien, Nguyen Tang Hung, Luong Dieu Phuong, Huynh Thien Tam<br />
*Hebrew (New): [[OWASP_Top10_Hebrew|OWASP Top 10 Hebrew]]. Lead by Or Katz, see translation page for list of contributors.<br />
*Arabic (New): [https://www.owasp.org/images/6/6a/OWASP_TOP_10_2013_Arabic.pdf OWASP Top 10 2013 - Arabic] Translated by: Mohannad Shahat: Mohannad.Shahat@owasp.org, Fahad: @SecurityArk, Abdulellah Alsaheel: cs.saheel@gmail.com, Khalifa Alshamsi: Khs1618@gmail.com and Sabri(KING SABRI): king.sabri@gmail.com, Mohammed Aldossary: mohammed.aldossary@owasp.org<br />
<br />
Volunteer Translation Efforts Underway: <br />
<br />
*Portuguese: carlos.j.serrao@gmail.com; taquiles@gmail.com; wagner.elias@owasp.org; victoreufrasio@gmail.com; leo.cavallari@owasp.org; victoreufrasio@gmail.com; <br />
*Greek: Konstantinos Papapanagiotou (conpap@di.uoa.gr) <br />
*Turkish: bora@abi.com.tr <br />
*Malay: cecil.su@owasp.org <br />
*Czech: petr.zavodsky@owasp-czech-republic.cz<br />
*Dutch: marinus@kuivenhoven.com<br />
*Swedish: ake.bengtsson@owasp.org<br />
* Spanish: gerardo.canedo@owasp.org<br />
<br />
= Project Details =<br />
<br />
{{:GPC_Project_Details/OWASP_Top10 | OWASP Project Identification Tab}}<br />
<br />
= How Are Companies-Projects-Vendors Using the OWASP Top 10 =<br />
<br />
Click the links for more details on each use! <br />
<br />
'''Warning''': these articles have not been rated for accuracy by OWASP. Product companies should be extremely careful about claiming to "cover" or "ensure compliance" with the OWASP Top 10. The current state-of-the-art for automated detection (scanners and static analysis) and prevention (waf) is nowhere near sufficient to claim adequate coverage of the issues in the Top 10. Nevertheless, using the Top 10 as a simple way to communicate security to end users is effective. <br />
<br />
;[http://blogs.msdn.com/b/sdl/archive/2008/05/01/sdl-and-the-owasp-top-ten.aspx Microsoft] <br />
:as a way to measure the coverage of their SDL and improve security<br />
<br />
;[http://www.nsa.gov/applications/search/index.cfm?q=owasp NSA] <br />
:in their developer guidance on web application security<br />
<br />
;[https://www.pcisecuritystandards.org/index.shtml PCI Council] <br />
:as part of the Payment Card Industry Data Security Standard (PCI DSS)<br />
<br />
;[http://community.citrix.com/display/ocb/2010/06/02/NetScaler+Application+Firewall+and+the+OWASP+Top+10+2010 Citrix] <br />
:in a guide showing how to configure their NetScalar product<br />
<br />
;[http://msdn.microsoft.com/en-us/library/dd129898.aspx Microsoft] <br />
:to show how "T10 threats are handled by the security design and test procedures of Microsoft"<br />
<br />
;[http://www.web2py.com/examples/default/security web2py] <br />
:to demonstrate the security of this Python web framework<br />
<br />
;[http://www.owasp.org/index.php/Commentary_OWASP_Top_Ten_2004_Project Oracle] <br />
:for developer awareness<br />
<br />
;[http://www.theatremanagerhelp.com/book/export/html/1640 TheatreManager] <br />
:to show how their product is secure for web use<br />
<br />
;[http://knol.google.com/k/automated-vulnerabilty-scanners-and-the-owasp-top-10# WhiteHat] <br />
:as a way to explain the coverage of their service<br />
<br />
;[http://www.imperva.com/docs/TB_SecureSphere_OWASP_2010-Top-Ten.pdf Imperva] <br />
:to show the coverage of the SecureSphere tool<br />
<br />
;[http://blog.cenzic.com/public/item/254309 Cenzic] <br />
:to enable "focused scans for compliance testing with the updated PCI standard"<br />
<br />
== Users and Adopters ==<br />
<br />
The U.S. Federal Trade Commission strongly recommends that all companies use the OWASP Top Ten and ensure that their partners do the same. In addition, the U.S. Defense Information Systems Agency (DISA) has listed the OWASP Top Ten as key best practices that should be used as part of the DoD Information Assurance Certification and Accreditation Process ([http://iase.disa.mil/diacap/ DIACAP]). <br />
<br />
In the commercial market, the [http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_PCI_Data_Security_Standard.pdf Payment Card Industry (PCI) standard] has adopted the OWASP Top Ten, and requires (among other things) that all merchants get a security code review for all their custom code. In addition, a broad range of companies and agencies around the globe are also using the OWASP Top Ten, including: <br />
<br />
*A.G. Edwards <br />
*Bank of Newport <br />
*Best Software <br />
*British Telecom <br />
*Bureau of Alcohol, Tobacco, and Firearms (ATF) <br />
*Citibank <br />
*Cboss Internet <br />
*Cognizant <br />
*Contra Costa County, CA <br />
*Corillian Corporation <br />
*Digital Payment Technologies <br />
*Foundstone Strategic Security <br />
*HP <br />
*IBM Global Services <br />
*MorphoTrust USA<br />
*National Australia Bank <br />
*Norfolk Southern <br />
*OneSAS.com <br />
*Online Business Systems <br />
*Predictive Systems <br />
*Price Waterhouse Coopers <br />
*Recreational Equipment, Inc. (REI) <br />
*SSP Solutions <br />
*Samsung SDS (Korea) <br />
*Sempra Energy <br />
*Sprint <br />
*Sun Microsystems <br />
*Swiss Federal Institute of Technology <br />
*Symantec <br />
*Texas Dept of Human Services <br />
*The Hartford <br />
*Zapatec <br />
*ZipForm <br />
*...and many others<br />
<br />
Several schools have also adopted the OWASP Top Ten as a part of their curriculum, including Michigan State University (MSU), and the University of California at San Diego (UCSD). <br />
<br />
Several open source projects have adopted the OWASP Top Ten as part of their security audits, including: <br />
<br />
*[http://plone.org Plone open source CMS project] (managed by the Plone Foundation)<br />
<br />
<br />
= Other uses and resources =<br />
<br />
* [[OWASP_Top_10/Mapping_to_WHID | OWASP Top 10 Mapped to the Web Hacking Incident Database]]<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_Release_Quality_Document]]</div>Mohannad Shahathttps://wiki.owasp.org/index.php?title=Category:OWASP_Top_Ten_Project&diff=163036Category:OWASP Top Ten Project2013-11-12T09:18:38Z<p>Mohannad Shahat: </p>
<hr />
<div>{{OWASP Book|1400974}} <br />
<br />
{{Social Media Links}}<br />
<br />
= OWASP Top 10 for 2013 =<br />
<br />
'''Welcome to the OWASP Top Ten Project''' - if you're looking for the OWASP Top 10 Mobile [[OWASP_Mobile_Security_Project#tab=Top_Ten_Mobile_Risks | Click Here]]<br />
<br />
On June 12, 2013 the OWASP Top 10 for 2013 was officially released. This version was updated based on numerous comments received during the comment period after the release candidate was released in Feb. 2013.<br />
<br />
* [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf OWASP Top 10 2013 document (PDF)].<br />
* [[Top_10_2013 | OWASP Top 10 2013 - Wiki.]]<br />
* [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013%20-%20French.pdf OWASP Top 10 2013 - French (PDF)].<br />
* [https://www.owasp.org/images/5/51/OWASP_Top_10_2013-Chinese-V1.2.pdf OWASP Top 10 2013 - Chinese (PDF)].<br />
* [https://www.owasp.org/images/2/2c/OWASP_Top_10_-_2013_Final_-_Korean.pdf OWASP Top 10 2013 - Korea (PDF)].<br />
* [http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2013_Brazilian_Portuguese.pdf OWASP Top 10 2013 - Brazilian Portuguese (PDF)].<br />
* [https://www.owasp.org/images/7/79/OWASP_Top_10_2013_JPN.pdf OWASP Top 10 2013 - Japanese (PDF)].<br />
* [https://www.owasp.org/images/6/6a/OWASP_TOP_10_2013_Arabic.pdf OWASP Top 10 2013 - Arabic (PDF)].<br />
* [http://owasptop10.googlecode.com/files/OWASP_Top-10_2013%20-%20Changes-from-2010.pptx OWASP Top 10 2013 Presentation - Focusing on What Changed Since 2010 (PPTX)]<br />
* [http://owasptop10.googlecode.com/files/OWASP_Top-10_2013%20-%20Presentation.pptx OWASP Top 10 2013 Presentation - Presenting Each Item in the Top 10 (PPTX)].<br />
<br />
<br />
The OWASP Top 10 - 2013 is as follows:<br />
<br />
* [[Top_10_2013-A1-Injection | A1 Injection]]<br />
* [[Top_10_2013-A2-Broken_Authentication_and_Session_Management | A2 Broken Authentication and Session Management]]<br />
* [[Top_10_2013-A3-Cross-Site_Scripting_(XSS) | A3 Cross-Site Scripting (XSS)]]<br />
* [[Top_10_2013-A4-Insecure_Direct_Object_References | A4 Insecure Direct Object References]]<br />
* [[Top_10_2013-A5-Security_Misconfiguration | A5 Security Misconfiguration]]<br />
* [[Top_10_2013-A6-Sensitive_Data_Exposure | A6 Sensitive Data Exposure]]<br />
* [[Top_10_2013-A7-Missing_Function_Level_Access_Control | A7 Missing Function Level Access Control]]<br />
* [[Top_10_2013-A8-Cross-Site_Request_Forgery_(CSRF) | A8 Cross-Site Request Forgery (CSRF)]]<br />
* [[Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities | A9 Using Components with Known Vulnerabilities]]<br />
* [[Top_10_2013-A10-Unvalidated_Redirects_and_Forwards | A10 Unvalidated Redirects and Forwards]]<br />
<br />
If you are interested, the methodology for how the Top 10 is produced is now documented here: [[Top_10_2013/ProjectMethodology | OWASP Top 10 Development Methodology]]<br />
<br />
Please help us make sure every developer in the ENTIRE WORLD knows about the OWASP Top 10 by helping to spread the word!!! <br />
<br />
As you help us spread the word, please emphasize: <br />
<br />
*OWASP is reaching out to developers, not just the application security community <br />
*The Top 10 is about managing risk, not just avoiding vulnerabilities <br />
*To manage these risks, organizations need an application risk management program, not just awareness training, app testing, and remediation<br />
<br />
We need to encourage organizations to get off the penetrate and patch mentality. As Jeff Williams said in his 2009 OWASP AppSec DC Keynote: “we’ll never hack our way secure – it’s going to take a culture change” for organizations to properly address application security.<br />
<br />
== Introduction ==<br />
<br />
The OWASP Top Ten provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. Versions of the 2007 and 2010 version were translated into English, French, Spanish, Japanese, Korean and Turkish and other languages. Translation efforts for the 2013 version are underway and they will be posted as they become available. <br />
<br />
We urge all companies to adopt this awareness document within their organization and start the process of ensuring that their web applications do not contain these flaws. Adopting the OWASP Top Ten is perhaps the most effective first step towards changing the software development culture within your organization into one that produces secure code.<br />
<br />
== Changes between 2010 and 2013 Editions ==<br />
<br />
The OWASP Top 10 - 2013 includes the following changes as compared to the 2010 edition:<br />
<br />
* A1 Injection<br />
* A2 Broken Authentication and Session Management (was formerly 2010-A3)<br />
* A3 Cross-Site Scripting (XSS) (was formerly 2010-A2)<br />
* A4 Insecure Direct Object References<br />
* A5 Security Misconfiguration (was formerly 2010-A6)<br />
* A6 Sensitive Data Exposure (2010-A7 Insecure Cryptographic Storage and 2010-A9 Insufficient Transport Layer Protection were merged to form 2013-A6)<br />
* A7 Missing Function Level Access Control (renamed/broadened from 2010-A8 Failure to Restrict URL Access)<br />
* A8 Cross-Site Request Forgery (CSRF) (was formerly 2010-A5)<br />
* A9 Using Components with Known Vulnerabilities (new but was part of 2010-A6 – Security Misconfiguration)<br />
* A10 Unvalidated Redirects and Forwards<br />
<br />
== 2013 Versions ==<br />
<br />
2013 Edition: <br />
<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf OWASP Top 10 2013 - PDF] <br />
*[[Top_10_2013 | OWASP Top 10 2013 - wiki]]<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013%20-%20French.pdf OWASP Top 10 2013 - French (PDF)].<br />
*[https://www.owasp.org/images/5/51/OWASP_Top_10_2013-Chinese-V1.2.pdf OWASP Top 10 2013 - Chinese (PDF)].<br />
*[https://www.owasp.org/images/2/2c/OWASP_Top_10_-_2013_Final_-_Korean.pdf OWASP Top 10 2013 - Korea (PDF)].<br />
*[http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2013_Brazilian_Portuguese.pdf OWASP Top 10 2013 - Brazilian Portuguese (PDF)].<br />
*[https://www.owasp.org/images/7/79/OWASP_Top_10_2013_JPN.pdf OWASP Top 10 2013 - Japanese (PDF)].<br />
<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013%20-%20RC1.pdf OWASP Top 10 - 2013 - Release Candidate]<br />
*[https://www.owasp.org/images/3/3d/OWASP_Top_10_-_2013_Final_Release_-_Change_Log.docx OWASP Top 10 - 2013 - Final Release - Change Log (docx)]<br />
<br />
== Feedback ==<br />
<br />
Please let us know how your organization is using the Top Ten. Include your name, organization's name, and brief description of how you use the list. Thanks for supporting OWASP! <br />
<br />
We hope you find the information in the OWASP Top Ten useful. Please contribute back to the project by sending your comments, questions, and suggestions to topten@lists.owasp.org Thanks! <br />
<br />
To join the OWASP Top Ten mailing list or view the archives, please visit the [http://lists.owasp.org/mailman/listinfo/owasp-topten subscription page.] <br />
<br />
== Project Sponsors ==<br />
<br />
The OWASP Top Ten project is sponsored by {{MemberLinks|link=http://www.aspectsecurity.com|logo=Aspect_logo_owasp.jpg}}<br />
<br />
<!-- ==== Project Identification ====<br />
{{Template:OWASP OWASP_Top10 Project}} --><br />
<br />
= OWASP Top 10 for 2010 =<br />
<br />
On April 19, 2010 the final version of the OWASP Top 10 for 2010 was released, and here is the associated [[OWASPTop10-2010-PressRelease|press release]]. This version was updated based on numerous comments received during the comment period after the release candidate was released in Nov. 2009. <br />
<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 - 2010 Document] <br />
*[[Top 10 2010|OWASP Top 10 - 2010 - wiki]] <br />
*[http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx OWASP Top 10 - 2010 Presentation]<br />
*[http://blip.tv/owasp-appsec-conference-in-europe/day2_track1_1430-1505-3936900 OWASP Top 10 Video of the Presentation above - this focused alot on the Top 10 for 2010 approach, rather than the details. (From OWASP AppSec EU 2010)]<br />
*[http://www.vimeo.com/9006276 OWASP Top 10 Video of this Presentation when the Top 10 for 2010 was 1st released for comment - this goes through each item in the Top 10. (From OWASP AppSec DC 2009)]<br />
<br />
The OWASP Top 10 Web Application Security Risks for 2010 are: <br />
<br />
*[[Top_10_2010-A1|A1: Injection]]<br />
*[[Top_10_2010-A2|A2: Cross-Site Scripting (XSS)]]<br />
*[[Top_10_2010-A3|A3: Broken Authentication and Session Management]]<br />
*[[Top_10_2010-A4|A4: Insecure Direct Object References]]<br />
*[[Top_10_2010-A5|A5: Cross-Site Request Forgery (CSRF)]]<br />
*[[Top_10_2010-A6|A6: Security Misconfiguration]]<br />
*[[Top_10_2010-A7|A7: Insecure Cryptographic Storage]]<br />
*[[Top_10_2010-A8|A8: Failure to Restrict URL Access]]<br />
*[[Top_10_2010-A9|A9: Insufficient Transport Layer Protection]]<br />
*[[Top_10_2010-A10|A10: Unvalidated Redirects and Forwards]]<br />
<br />
== Introduction ==<br />
<br />
The OWASP Top Ten provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. Versions of the 2007 were translated into English, French, Spanish, Japanese, Korean and Turkish and other languages and the 2010 version was translated into even more languages. See below for all the translated versions.<br />
<br />
== 2010 Versions ==<br />
<br />
2010 Edition: <br />
<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 2010 - PDF] <br />
*[[Top 10 2010|OWASP Top 10 2010 - wiki]]<br />
<br />
2010 Translations: <br />
<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20French.pdf OWASP Top 10 2010 - French PDF] <br />
*[https://www.owasp.org/images/b/b8/OWASPTop10_DE_Version_1_0.pdf OWASP Top 10 2010 - German PDF]<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Indonesian.pdf OWASP Top 10 2010 - Indonesian PDF]<br />
*[http://www.owasp.org/images/f/f9/OWASP_Top_10_-_2010_ITA.pdf OWASP Top 10 2010 - Italian PDF]<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Japanese-A4.pdf OWASP Top 10 2010 - Japanese PDF]<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Korean.pdf OWASP Top 10 2010 - Korean PDF]<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Spanish.pdf OWASP Top 10 2010 - Spanish PDF]<br />
*[http://www.owasp.org/images/8/86/OWASP_Top_10_-_2010_FINAL_%28spanish%29.pptx OWASP Top 10 2010 - Spanish PPT]<br />
*[http://www.owasp.org/images/a/a9/OWASP_Top_10_2010_Chinese_V1.0_Released.pdf OWASP Top 10 2010 - Chinese PDF / 这里下载PDF格式文档]<br />
*[http://owasptop10.googlecode.com/files/OWASPTop%2010%20-%202010%20Vietnamese.pdf OWASP Top 10 2010 - Vietnamese PDF]<br />
*[https://www.owasp.org/images/c/cd/OWASP_Top_10_Heb.pdf OWASP Top 10 2010 - Hebrew PDF]<br />
<br />
2010 Release Candidate: <br />
<br />
*[http://www.owasp.org/index.php/File:OWASP_T10_-_2010_rc1.pdf OWASP Top 10 2010 Release Candidate] <br />
*[http://www.owasp.org/images/e/e1/OWASP_Top_10_RC-Public_Comments.docx OWASP Top 10 2010 Release Candidate Comments], except for one set of scanned comments [http://www.owasp.org/images/2/2e/OWASP_T10_-_2010_rc1_cmts_Kai_Jendrian.pdf which are here].<br />
<br />
Previous versions: <br />
<br />
*[http://www.owasp.org/images/e/e8/OWASP_Top_10_2007.pdf OWASP Top 10 2007 - PDF] <br />
*[[Top 10 2007|OWASP Top 10 2007 - wiki]] <br />
*[http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project#tab=Project_Details OWASP Top 10 2007 - PDF Translations are here] <br />
*[[Top 10 2004|OWASP Top 10 2004 - wiki]]<br />
<br />
<br />
= Translation Efforts =<br />
<br />
Efforts are underway in numerous languages to translate the OWASP Top 10 for 2013. If you are interested in helping, please contact the other members of the team for the language you are interested in contributing to, or if you don't see your language listed, please let me know you want to help and we'll form a volunteer group for your language too!!<br />
<br />
Here is the original source document for the [https://www.owasp.org/images/4/4d/OWASP_Top_10_-_2013_Final_-_English.pptx OWASP Top 10 - 2013 which is in PowerPoint]. Please use this document as the basis for your translation efforts.<br />
<br />
Completed Translations:<br />
<br />
*French 2013: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013%20-%20French.pdf OWASP Top 10 2013 - French PDF] Ludovic Petit: Ludovic.Petit@owasp.org, Sébastien Gioria: Sebastien.Gioria@owasp.org, Erwan Abgrall: g4l4drim@gmail.com, Benjamin Avet: benjamin.avet@gmail.com, Jocelyn Aubert: jocelyn.aubert@owasp.org, Damien Azambour: damien.azambourg@owasp.org, Aline Barthelemy: aline.barthelemy@fr.abb.com, Moulay Abdsamad Belghiti: abdsamad.belghiti@gmail.com, Gregory Blanc: gregory.blanc@gmail.com, Clément Capel: clement.capel@sfr.com, Etienne Capgras: Etienne.capgras@solucom.fr, Julien Cayssol: julien@aqwz.com, Antonio Fontes: antonio.fontes@owasp.org, Ely de Travieso: Ely.detravieso@owasp.org, Nicolas Grégoire: nicolas.gregoire@agarri.fr, Valérie Lasserre: valerie.lasserre@gmx.fr, Antoine Laureau: antoine.laureau@owasp.org, Guillaume Lopes: lopes.guillaume@free.fr, Gilles Morain: gilles.morain@gmail.com, Christophe Pekar: christophe.pekar@owasp.org, Olivier Perret: perrets@free.fr, Michel Prunet: michel.prunet@owasp.org, Olivier Revollat: revollat@gmail.com, Aymeric Tabourin: aymeric.tabourin@orange.com<br />
*Brazilian Portuguese 2013: [http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2013_Brazilian_Portuguese.pdf OWASP Top 10 2013 - Brazilian Portuguese (PDF)] Translated by: Carlos Serrão, Marcio Machry, Ícaro Evangelista de Torres, Carlo Marcelo Revoredo da Silva, Luiz Vieira, Suely Ramalho de Mello, Jorge Olímpia, Daniel Quintão, Mauro Risonho de Paula Assumpção, Marcelo Lopes, Caio Dias, Rodrigo Gularte<br />
*French 2010: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20French.pdf OWASP Top 10 2010 - French PDF] ludovic.petit@owasp.org, sebastien.gioria@owasp.org, antonio.fontes@owasp.org, benoit.guerette@owasp.org, Jocelyn.aubert@owasp.org, Eric.Garreau@gemalto.com, Guillaume.Huysmans@gemalto.com <br />
*German: [https://www.owasp.org/images/b/b8/OWASPTop10_DE_Version_1_0.pdf OWASP Top 10 - German PDF] top10@owasp.de which is Frank Dölitzscher, Torsten Gigler, Tobias Glemser, Dr. Ingo Hanke, Thomas Herzog, [[User:Kai_Jendrian|Kai Jendrian]], [[User:Ralf_Reinhardt|Ralf Reinhardt]], Michael Schäfer<br />
*Indonesian: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Indonesian.pdf OWASP Top 10 2010 - Indonesian PDF] Tedi Heriyanto (coordinator), Lathifah Arief, Tri A Sundara, Zaki Akhmad<br />
*Italian: [http://www.owasp.org/images/f/f9/OWASP_Top_10_-_2010_ITA.pdf OWASP Top 10 2010 - Italian PDF] Simone Onofri, Paolo Perego, Massimo Biagiotti, Edoardo Viscosi, Salvatore Fiorillo, Roberto Battistoni, Loredana Mancini, Michele Nesta, Paco Schiaffella, Lucilla Mancini, Gerardo Di Giacomo, Valentino Squilloni<br />
*Japanese: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Japanese-A4.pdf OWASP Top 10 2010 - Japanese PDF] cecil.su@owasp.org, Dr. Masayuki Hisada, Yoshimasa Kawamoto, Ryusuke Sakamoto, Keisuke Seki, Shin Umemoto, Takashi Arima<br />
*Korean 2013: [https://www.owasp.org/images/2/2c/OWASP_Top_10_-_2013_Final_-_Korean.pdf OWASP Top 10 2013 - Korean PDF] (이름가나다순) 김병효:byounghyo.kim@owasp.org, 김지원:jiwon.kim@owasp.or.kr, 김효근:katuri@katuri.kr, 박정훈:xelion@gmail.com, 성영모:youngmo.seong@owasp.or.kr, 성윤기:yune.sung@owasp.org, 송보영:boyoung.song@owasp.or.kr, 송창기:factor7@naver.com, 유정호:griphis77@gmail.com, 장상민:sangmin.jang@owasp.or.kr, 전영재:youngjae.jeon@owasp.org, 정가람:tgcarrot@gmail.com, 정홍순:jhs728@gmail.com, 조민재:johnny.cho@owasp.org,허성무:issimplenet@gmail.com<br />
*Korean 2010: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Korean.pdf OWASP Top 10 2010 - Korean PDF] Hyungkeun Park, (mirrk1@gmail.com)<br />
*Spanish: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Spanish.pdf OWASP Top 10 2010 - Spanish PDF] *Daniel Cabezas Molina , Edgar Sanchez, Juan Carlos Calderon, Jose Antonio Guasch, Paulo Coronado, Rodrigo Marcos, Vicente Aguilera<br />
*Chinese: [http://www.owasp.org/images/a/a9/OWASP_Top_10_2010_Chinese_V1.0_Released.pdf OWASP Top 10 2010 - Chinese PDF] 感谢以下为中文版本做出贡献的翻译人员和审核人员: Rip Torn, 钟卫林, 高雯, 王颉, 于振东<br />
*Vietnamese: [http://owasptop10.googlecode.com/files/OWASPTop%2010%20-%202010%20Vietnamese.pdf OWASP Top 10 2010 - Vietnamese PDF] (NEW) Translation lead by Cecil Su - Translation Team: Dang Hoang Vu, Nguyen Ba Tien, Nguyen Tang Hung, Luong Dieu Phuong, Huynh Thien Tam<br />
*Hebrew (New): [[OWASP_Top10_Hebrew|OWASP Top 10 Hebrew]]. Lead by Or Katz, see translation page for list of contributors.<br />
*Arabic (New): [https://www.owasp.org/images/6/6a/OWASP_TOP_10_2013_Arabic.pdf OWASP Top 10 2013 - Arabic] Translated by: Mohannad Shahat: Mohannad.Shahat@owasp.org, Fahad: @SecurityArk, Abdulellah Alsaheel: cs.saheel@gmail.com, Khalifa Alshamsi: Khs1618@gmail.com and Sabri(KING SABRI): king.sabri@gmail.com, Mohammed Aldossary: mohammed.aldossary@owasp.org<br />
<br />
Volunteer Translation Efforts Underway: <br />
<br />
*Portuguese: carlos.j.serrao@gmail.com; taquiles@gmail.com; wagner.elias@owasp.org; victoreufrasio@gmail.com; leo.cavallari@owasp.org; victoreufrasio@gmail.com; <br />
*Greek: Konstantinos Papapanagiotou (conpap@di.uoa.gr) <br />
*Turkish: bora@abi.com.tr <br />
*Malay: cecil.su@owasp.org <br />
*Czech: petr.zavodsky@owasp-czech-republic.cz<br />
*Dutch: marinus@kuivenhoven.com<br />
*Swedish: ake.bengtsson@owasp.org<br />
* Spanish: gerardo.canedo@owasp.org<br />
<br />
= Project Details =<br />
<br />
{{:GPC_Project_Details/OWASP_Top10 | OWASP Project Identification Tab}}<br />
<br />
= How Are Companies-Projects-Vendors Using the OWASP Top 10 =<br />
<br />
Click the links for more details on each use! <br />
<br />
'''Warning''': these articles have not been rated for accuracy by OWASP. Product companies should be extremely careful about claiming to "cover" or "ensure compliance" with the OWASP Top 10. The current state-of-the-art for automated detection (scanners and static analysis) and prevention (waf) is nowhere near sufficient to claim adequate coverage of the issues in the Top 10. Nevertheless, using the Top 10 as a simple way to communicate security to end users is effective. <br />
<br />
;[http://blogs.msdn.com/b/sdl/archive/2008/05/01/sdl-and-the-owasp-top-ten.aspx Microsoft] <br />
:as a way to measure the coverage of their SDL and improve security<br />
<br />
;[http://www.nsa.gov/applications/search/index.cfm?q=owasp NSA] <br />
:in their developer guidance on web application security<br />
<br />
;[https://www.pcisecuritystandards.org/index.shtml PCI Council] <br />
:as part of the Payment Card Industry Data Security Standard (PCI DSS)<br />
<br />
;[http://community.citrix.com/display/ocb/2010/06/02/NetScaler+Application+Firewall+and+the+OWASP+Top+10+2010 Citrix] <br />
:in a guide showing how to configure their NetScalar product<br />
<br />
;[http://msdn.microsoft.com/en-us/library/dd129898.aspx Microsoft] <br />
:to show how "T10 threats are handled by the security design and test procedures of Microsoft"<br />
<br />
;[http://www.web2py.com/examples/default/security web2py] <br />
:to demonstrate the security of this Python web framework<br />
<br />
;[http://www.owasp.org/index.php/Commentary_OWASP_Top_Ten_2004_Project Oracle] <br />
:for developer awareness<br />
<br />
;[http://www.theatremanagerhelp.com/book/export/html/1640 TheatreManager] <br />
:to show how their product is secure for web use<br />
<br />
;[http://knol.google.com/k/automated-vulnerabilty-scanners-and-the-owasp-top-10# WhiteHat] <br />
:as a way to explain the coverage of their service<br />
<br />
;[http://www.imperva.com/docs/TB_SecureSphere_OWASP_2010-Top-Ten.pdf Imperva] <br />
:to show the coverage of the SecureSphere tool<br />
<br />
;[http://blog.cenzic.com/public/item/254309 Cenzic] <br />
:to enable "focused scans for compliance testing with the updated PCI standard"<br />
<br />
== Users and Adopters ==<br />
<br />
The U.S. Federal Trade Commission strongly recommends that all companies use the OWASP Top Ten and ensure that their partners do the same. In addition, the U.S. Defense Information Systems Agency (DISA) has listed the OWASP Top Ten as key best practices that should be used as part of the DoD Information Assurance Certification and Accreditation Process ([http://iase.disa.mil/diacap/ DIACAP]). <br />
<br />
In the commercial market, the [http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_PCI_Data_Security_Standard.pdf Payment Card Industry (PCI) standard] has adopted the OWASP Top Ten, and requires (among other things) that all merchants get a security code review for all their custom code. In addition, a broad range of companies and agencies around the globe are also using the OWASP Top Ten, including: <br />
<br />
*A.G. Edwards <br />
*Bank of Newport <br />
*Best Software <br />
*British Telecom <br />
*Bureau of Alcohol, Tobacco, and Firearms (ATF) <br />
*Citibank <br />
*Cboss Internet <br />
*Cognizant <br />
*Contra Costa County, CA <br />
*Corillian Corporation <br />
*Digital Payment Technologies <br />
*Foundstone Strategic Security <br />
*HP <br />
*IBM Global Services <br />
*MorphoTrust USA<br />
*National Australia Bank <br />
*Norfolk Southern <br />
*OneSAS.com <br />
*Online Business Systems <br />
*Predictive Systems <br />
*Price Waterhouse Coopers <br />
*Recreational Equipment, Inc. (REI) <br />
*SSP Solutions <br />
*Samsung SDS (Korea) <br />
*Sempra Energy <br />
*Sprint <br />
*Sun Microsystems <br />
*Swiss Federal Institute of Technology <br />
*Symantec <br />
*Texas Dept of Human Services <br />
*The Hartford <br />
*Zapatec <br />
*ZipForm <br />
*...and many others<br />
<br />
Several schools have also adopted the OWASP Top Ten as a part of their curriculum, including Michigan State University (MSU), and the University of California at San Diego (UCSD). <br />
<br />
Several open source projects have adopted the OWASP Top Ten as part of their security audits, including: <br />
<br />
*[http://plone.org Plone open source CMS project] (managed by the Plone Foundation)<br />
<br />
<br />
= Other uses and resources =<br />
<br />
* [[OWASP_Top_10/Mapping_to_WHID | OWASP Top 10 Mapped to the Web Hacking Incident Database]]<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_Release_Quality_Document]]</div>Mohannad Shahathttps://wiki.owasp.org/index.php?title=Category:OWASP_Top_Ten_Project&diff=163018Category:OWASP Top Ten Project2013-11-11T17:21:45Z<p>Mohannad Shahat: </p>
<hr />
<div>{{OWASP Book|1400974}} <br />
<br />
{{Social Media Links}}<br />
<br />
= OWASP Top 10 for 2013 =<br />
<br />
'''Welcome to the OWASP Top Ten Project''' - if you're looking for the OWASP Top 10 Mobile [[OWASP_Mobile_Security_Project#tab=Top_Ten_Mobile_Risks | Click Here]]<br />
<br />
On June 12, 2013 the OWASP Top 10 for 2013 was officially released. This version was updated based on numerous comments received during the comment period after the release candidate was released in Feb. 2013.<br />
<br />
* [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf OWASP Top 10 2013 document (PDF)].<br />
* [[Top_10_2013 | OWASP Top 10 2013 - Wiki.]]<br />
* [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013%20-%20French.pdf OWASP Top 10 2013 - French (PDF)].<br />
* [https://www.owasp.org/images/5/51/OWASP_Top_10_2013-Chinese-V1.2.pdf OWASP Top 10 2013 - Chinese (PDF)].<br />
* [https://www.owasp.org/images/2/2c/OWASP_Top_10_-_2013_Final_-_Korean.pdf OWASP Top 10 2013 - Korea (PDF)].<br />
* [http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2013_Brazilian_Portuguese.pdf OWASP Top 10 2013 - Brazilian Portuguese (PDF)].<br />
* [https://www.owasp.org/images/7/79/OWASP_Top_10_2013_JPN.pdf OWASP Top 10 2013 - Japanese (PDF)].<br />
* [http://owasptop10.googlecode.com/files/OWASP_Top-10_2013%20-%20Changes-from-2010.pptx OWASP Top 10 2013 Presentation - Focusing on What Changed Since 2010 (PPTX)]<br />
* [http://owasptop10.googlecode.com/files/OWASP_Top-10_2013%20-%20Presentation.pptx OWASP Top 10 2013 Presentation - Presenting Each Item in the Top 10 (PPTX)].<br />
<br />
<br />
The OWASP Top 10 - 2013 is as follows:<br />
<br />
* [[Top_10_2013-A1-Injection | A1 Injection]]<br />
* [[Top_10_2013-A2-Broken_Authentication_and_Session_Management | A2 Broken Authentication and Session Management]]<br />
* [[Top_10_2013-A3-Cross-Site_Scripting_(XSS) | A3 Cross-Site Scripting (XSS)]]<br />
* [[Top_10_2013-A4-Insecure_Direct_Object_References | A4 Insecure Direct Object References]]<br />
* [[Top_10_2013-A5-Security_Misconfiguration | A5 Security Misconfiguration]]<br />
* [[Top_10_2013-A6-Sensitive_Data_Exposure | A6 Sensitive Data Exposure]]<br />
* [[Top_10_2013-A7-Missing_Function_Level_Access_Control | A7 Missing Function Level Access Control]]<br />
* [[Top_10_2013-A8-Cross-Site_Request_Forgery_(CSRF) | A8 Cross-Site Request Forgery (CSRF)]]<br />
* [[Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities | A9 Using Components with Known Vulnerabilities]]<br />
* [[Top_10_2013-A10-Unvalidated_Redirects_and_Forwards | A10 Unvalidated Redirects and Forwards]]<br />
<br />
If you are interested, the methodology for how the Top 10 is produced is now documented here: [[Top_10_2013/ProjectMethodology | OWASP Top 10 Development Methodology]]<br />
<br />
Please help us make sure every developer in the ENTIRE WORLD knows about the OWASP Top 10 by helping to spread the word!!! <br />
<br />
As you help us spread the word, please emphasize: <br />
<br />
*OWASP is reaching out to developers, not just the application security community <br />
*The Top 10 is about managing risk, not just avoiding vulnerabilities <br />
*To manage these risks, organizations need an application risk management program, not just awareness training, app testing, and remediation<br />
<br />
We need to encourage organizations to get off the penetrate and patch mentality. As Jeff Williams said in his 2009 OWASP AppSec DC Keynote: “we’ll never hack our way secure – it’s going to take a culture change” for organizations to properly address application security.<br />
<br />
== Introduction ==<br />
<br />
The OWASP Top Ten provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. Versions of the 2007 and 2010 version were translated into English, French, Spanish, Japanese, Korean and Turkish and other languages. Translation efforts for the 2013 version are underway and they will be posted as they become available. <br />
<br />
We urge all companies to adopt this awareness document within their organization and start the process of ensuring that their web applications do not contain these flaws. Adopting the OWASP Top Ten is perhaps the most effective first step towards changing the software development culture within your organization into one that produces secure code.<br />
<br />
== Changes between 2010 and 2013 Editions ==<br />
<br />
The OWASP Top 10 - 2013 includes the following changes as compared to the 2010 edition:<br />
<br />
* A1 Injection<br />
* A2 Broken Authentication and Session Management (was formerly 2010-A3)<br />
* A3 Cross-Site Scripting (XSS) (was formerly 2010-A2)<br />
* A4 Insecure Direct Object References<br />
* A5 Security Misconfiguration (was formerly 2010-A6)<br />
* A6 Sensitive Data Exposure (2010-A7 Insecure Cryptographic Storage and 2010-A9 Insufficient Transport Layer Protection were merged to form 2013-A6)<br />
* A7 Missing Function Level Access Control (renamed/broadened from 2010-A8 Failure to Restrict URL Access)<br />
* A8 Cross-Site Request Forgery (CSRF) (was formerly 2010-A5)<br />
* A9 Using Components with Known Vulnerabilities (new but was part of 2010-A6 – Security Misconfiguration)<br />
* A10 Unvalidated Redirects and Forwards<br />
<br />
== 2013 Versions ==<br />
<br />
2013 Edition: <br />
<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf OWASP Top 10 2013 - PDF] <br />
*[[Top_10_2013 | OWASP Top 10 2013 - wiki]]<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013%20-%20French.pdf OWASP Top 10 2013 - French (PDF)].<br />
*[https://www.owasp.org/images/5/51/OWASP_Top_10_2013-Chinese-V1.2.pdf OWASP Top 10 2013 - Chinese (PDF)].<br />
*[https://www.owasp.org/images/2/2c/OWASP_Top_10_-_2013_Final_-_Korean.pdf OWASP Top 10 2013 - Korea (PDF)].<br />
*[http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2013_Brazilian_Portuguese.pdf OWASP Top 10 2013 - Brazilian Portuguese (PDF)].<br />
*[https://www.owasp.org/images/7/79/OWASP_Top_10_2013_JPN.pdf OWASP Top 10 2013 - Japanese (PDF)].<br />
<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013%20-%20RC1.pdf OWASP Top 10 - 2013 - Release Candidate]<br />
*[https://www.owasp.org/images/3/3d/OWASP_Top_10_-_2013_Final_Release_-_Change_Log.docx OWASP Top 10 - 2013 - Final Release - Change Log (docx)]<br />
<br />
== Feedback ==<br />
<br />
Please let us know how your organization is using the Top Ten. Include your name, organization's name, and brief description of how you use the list. Thanks for supporting OWASP! <br />
<br />
We hope you find the information in the OWASP Top Ten useful. Please contribute back to the project by sending your comments, questions, and suggestions to topten@lists.owasp.org Thanks! <br />
<br />
To join the OWASP Top Ten mailing list or view the archives, please visit the [http://lists.owasp.org/mailman/listinfo/owasp-topten subscription page.] <br />
<br />
== Project Sponsors ==<br />
<br />
The OWASP Top Ten project is sponsored by {{MemberLinks|link=http://www.aspectsecurity.com|logo=Aspect_logo_owasp.jpg}}<br />
<br />
<!-- ==== Project Identification ====<br />
{{Template:OWASP OWASP_Top10 Project}} --><br />
<br />
= OWASP Top 10 for 2010 =<br />
<br />
On April 19, 2010 the final version of the OWASP Top 10 for 2010 was released, and here is the associated [[OWASPTop10-2010-PressRelease|press release]]. This version was updated based on numerous comments received during the comment period after the release candidate was released in Nov. 2009. <br />
<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 - 2010 Document] <br />
*[[Top 10 2010|OWASP Top 10 - 2010 - wiki]] <br />
*[http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx OWASP Top 10 - 2010 Presentation]<br />
*[http://blip.tv/owasp-appsec-conference-in-europe/day2_track1_1430-1505-3936900 OWASP Top 10 Video of the Presentation above - this focused alot on the Top 10 for 2010 approach, rather than the details. (From OWASP AppSec EU 2010)]<br />
*[http://www.vimeo.com/9006276 OWASP Top 10 Video of this Presentation when the Top 10 for 2010 was 1st released for comment - this goes through each item in the Top 10. (From OWASP AppSec DC 2009)]<br />
<br />
The OWASP Top 10 Web Application Security Risks for 2010 are: <br />
<br />
*[[Top_10_2010-A1|A1: Injection]]<br />
*[[Top_10_2010-A2|A2: Cross-Site Scripting (XSS)]]<br />
*[[Top_10_2010-A3|A3: Broken Authentication and Session Management]]<br />
*[[Top_10_2010-A4|A4: Insecure Direct Object References]]<br />
*[[Top_10_2010-A5|A5: Cross-Site Request Forgery (CSRF)]]<br />
*[[Top_10_2010-A6|A6: Security Misconfiguration]]<br />
*[[Top_10_2010-A7|A7: Insecure Cryptographic Storage]]<br />
*[[Top_10_2010-A8|A8: Failure to Restrict URL Access]]<br />
*[[Top_10_2010-A9|A9: Insufficient Transport Layer Protection]]<br />
*[[Top_10_2010-A10|A10: Unvalidated Redirects and Forwards]]<br />
<br />
== Introduction ==<br />
<br />
The OWASP Top Ten provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. Versions of the 2007 were translated into English, French, Spanish, Japanese, Korean and Turkish and other languages and the 2010 version was translated into even more languages. See below for all the translated versions.<br />
<br />
== 2010 Versions ==<br />
<br />
2010 Edition: <br />
<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 2010 - PDF] <br />
*[[Top 10 2010|OWASP Top 10 2010 - wiki]]<br />
<br />
2010 Translations: <br />
<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20French.pdf OWASP Top 10 2010 - French PDF] <br />
*[https://www.owasp.org/images/b/b8/OWASPTop10_DE_Version_1_0.pdf OWASP Top 10 2010 - German PDF]<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Indonesian.pdf OWASP Top 10 2010 - Indonesian PDF]<br />
*[http://www.owasp.org/images/f/f9/OWASP_Top_10_-_2010_ITA.pdf OWASP Top 10 2010 - Italian PDF]<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Japanese-A4.pdf OWASP Top 10 2010 - Japanese PDF]<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Korean.pdf OWASP Top 10 2010 - Korean PDF]<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Spanish.pdf OWASP Top 10 2010 - Spanish PDF]<br />
*[http://www.owasp.org/images/8/86/OWASP_Top_10_-_2010_FINAL_%28spanish%29.pptx OWASP Top 10 2010 - Spanish PPT]<br />
*[http://www.owasp.org/images/a/a9/OWASP_Top_10_2010_Chinese_V1.0_Released.pdf OWASP Top 10 2010 - Chinese PDF / 这里下载PDF格式文档]<br />
*[http://owasptop10.googlecode.com/files/OWASPTop%2010%20-%202010%20Vietnamese.pdf OWASP Top 10 2010 - Vietnamese PDF]<br />
*[https://www.owasp.org/images/c/cd/OWASP_Top_10_Heb.pdf OWASP Top 10 2010 - Hebrew PDF]<br />
<br />
2010 Release Candidate: <br />
<br />
*[http://www.owasp.org/index.php/File:OWASP_T10_-_2010_rc1.pdf OWASP Top 10 2010 Release Candidate] <br />
*[http://www.owasp.org/images/e/e1/OWASP_Top_10_RC-Public_Comments.docx OWASP Top 10 2010 Release Candidate Comments], except for one set of scanned comments [http://www.owasp.org/images/2/2e/OWASP_T10_-_2010_rc1_cmts_Kai_Jendrian.pdf which are here].<br />
<br />
Previous versions: <br />
<br />
*[http://www.owasp.org/images/e/e8/OWASP_Top_10_2007.pdf OWASP Top 10 2007 - PDF] <br />
*[[Top 10 2007|OWASP Top 10 2007 - wiki]] <br />
*[http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project#tab=Project_Details OWASP Top 10 2007 - PDF Translations are here] <br />
*[[Top 10 2004|OWASP Top 10 2004 - wiki]]<br />
<br />
<br />
= Translation Efforts =<br />
<br />
Efforts are underway in numerous languages to translate the OWASP Top 10 for 2013. If you are interested in helping, please contact the other members of the team for the language you are interested in contributing to, or if you don't see your language listed, please let me know you want to help and we'll form a volunteer group for your language too!!<br />
<br />
Here is the original source document for the [https://www.owasp.org/images/4/4d/OWASP_Top_10_-_2013_Final_-_English.pptx OWASP Top 10 - 2013 which is in PowerPoint]. Please use this document as the basis for your translation efforts.<br />
<br />
Completed Translations:<br />
<br />
*French 2013: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013%20-%20French.pdf OWASP Top 10 2013 - French PDF] Ludovic Petit: Ludovic.Petit@owasp.org, Sébastien Gioria: Sebastien.Gioria@owasp.org, Erwan Abgrall: g4l4drim@gmail.com, Benjamin Avet: benjamin.avet@gmail.com, Jocelyn Aubert: jocelyn.aubert@owasp.org, Damien Azambour: damien.azambourg@owasp.org, Aline Barthelemy: aline.barthelemy@fr.abb.com, Moulay Abdsamad Belghiti: abdsamad.belghiti@gmail.com, Gregory Blanc: gregory.blanc@gmail.com, Clément Capel: clement.capel@sfr.com, Etienne Capgras: Etienne.capgras@solucom.fr, Julien Cayssol: julien@aqwz.com, Antonio Fontes: antonio.fontes@owasp.org, Ely de Travieso: Ely.detravieso@owasp.org, Nicolas Grégoire: nicolas.gregoire@agarri.fr, Valérie Lasserre: valerie.lasserre@gmx.fr, Antoine Laureau: antoine.laureau@owasp.org, Guillaume Lopes: lopes.guillaume@free.fr, Gilles Morain: gilles.morain@gmail.com, Christophe Pekar: christophe.pekar@owasp.org, Olivier Perret: perrets@free.fr, Michel Prunet: michel.prunet@owasp.org, Olivier Revollat: revollat@gmail.com, Aymeric Tabourin: aymeric.tabourin@orange.com<br />
*Brazilian Portuguese 2013: [http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2013_Brazilian_Portuguese.pdf OWASP Top 10 2013 - Brazilian Portuguese (PDF)] Translated by: Carlos Serrão, Marcio Machry, Ícaro Evangelista de Torres, Carlo Marcelo Revoredo da Silva, Luiz Vieira, Suely Ramalho de Mello, Jorge Olímpia, Daniel Quintão, Mauro Risonho de Paula Assumpção, Marcelo Lopes, Caio Dias, Rodrigo Gularte<br />
*French 2010: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20French.pdf OWASP Top 10 2010 - French PDF] ludovic.petit@owasp.org, sebastien.gioria@owasp.org, antonio.fontes@owasp.org, benoit.guerette@owasp.org, Jocelyn.aubert@owasp.org, Eric.Garreau@gemalto.com, Guillaume.Huysmans@gemalto.com <br />
*German: [https://www.owasp.org/images/b/b8/OWASPTop10_DE_Version_1_0.pdf OWASP Top 10 - German PDF] top10@owasp.de which is Frank Dölitzscher, Torsten Gigler, Tobias Glemser, Dr. Ingo Hanke, Thomas Herzog, [[User:Kai_Jendrian|Kai Jendrian]], [[User:Ralf_Reinhardt|Ralf Reinhardt]], Michael Schäfer<br />
*Indonesian: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Indonesian.pdf OWASP Top 10 2010 - Indonesian PDF] Tedi Heriyanto (coordinator), Lathifah Arief, Tri A Sundara, Zaki Akhmad<br />
*Italian: [http://www.owasp.org/images/f/f9/OWASP_Top_10_-_2010_ITA.pdf OWASP Top 10 2010 - Italian PDF] Simone Onofri, Paolo Perego, Massimo Biagiotti, Edoardo Viscosi, Salvatore Fiorillo, Roberto Battistoni, Loredana Mancini, Michele Nesta, Paco Schiaffella, Lucilla Mancini, Gerardo Di Giacomo, Valentino Squilloni<br />
*Japanese: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Japanese-A4.pdf OWASP Top 10 2010 - Japanese PDF] cecil.su@owasp.org, Dr. Masayuki Hisada, Yoshimasa Kawamoto, Ryusuke Sakamoto, Keisuke Seki, Shin Umemoto, Takashi Arima<br />
*Korean 2013: [https://www.owasp.org/images/2/2c/OWASP_Top_10_-_2013_Final_-_Korean.pdf OWASP Top 10 2013 - Korean PDF] (이름가나다순) 김병효:byounghyo.kim@owasp.org, 김지원:jiwon.kim@owasp.or.kr, 김효근:katuri@katuri.kr, 박정훈:xelion@gmail.com, 성영모:youngmo.seong@owasp.or.kr, 성윤기:yune.sung@owasp.org, 송보영:boyoung.song@owasp.or.kr, 송창기:factor7@naver.com, 유정호:griphis77@gmail.com, 장상민:sangmin.jang@owasp.or.kr, 전영재:youngjae.jeon@owasp.org, 정가람:tgcarrot@gmail.com, 정홍순:jhs728@gmail.com, 조민재:johnny.cho@owasp.org,허성무:issimplenet@gmail.com<br />
*Korean 2010: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Korean.pdf OWASP Top 10 2010 - Korean PDF] Hyungkeun Park, (mirrk1@gmail.com)<br />
*Spanish: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Spanish.pdf OWASP Top 10 2010 - Spanish PDF] *Daniel Cabezas Molina , Edgar Sanchez, Juan Carlos Calderon, Jose Antonio Guasch, Paulo Coronado, Rodrigo Marcos, Vicente Aguilera<br />
*Chinese: [http://www.owasp.org/images/a/a9/OWASP_Top_10_2010_Chinese_V1.0_Released.pdf OWASP Top 10 2010 - Chinese PDF] 感谢以下为中文版本做出贡献的翻译人员和审核人员: Rip Torn, 钟卫林, 高雯, 王颉, 于振东<br />
*Vietnamese: [http://owasptop10.googlecode.com/files/OWASPTop%2010%20-%202010%20Vietnamese.pdf OWASP Top 10 2010 - Vietnamese PDF] (NEW) Translation lead by Cecil Su - Translation Team: Dang Hoang Vu, Nguyen Ba Tien, Nguyen Tang Hung, Luong Dieu Phuong, Huynh Thien Tam<br />
*Hebrew (New): [[OWASP_Top10_Hebrew|OWASP Top 10 Hebrew]]. Lead by Or Katz, see translation page for list of contributors.<br />
*Arabic (New): [https://www.owasp.org/images/6/6a/OWASP_TOP_10_2013_Arabic.pdf OWASP Top 10 203 - Arabic] Translated by: Mohannad Shahat: Mohannad.Shahat@owasp.org, Fahad: @SecurityArk, Abdulellah Alsaheel: cs.saheel@gmail.com, Khalifa Alshamsi: Khs1618@gmail.com and Sabri(KING SABRI): king.sabri@gmail.com, Mohammed Aldossary: mohammed.aldossary@owasp.org<br />
<br />
Volunteer Translation Efforts Underway: <br />
<br />
*Portuguese: carlos.j.serrao@gmail.com; taquiles@gmail.com; wagner.elias@owasp.org; victoreufrasio@gmail.com; leo.cavallari@owasp.org; victoreufrasio@gmail.com; <br />
*Greek: Konstantinos Papapanagiotou (conpap@di.uoa.gr) <br />
*Turkish: bora@abi.com.tr <br />
*Malay: cecil.su@owasp.org <br />
*Czech: petr.zavodsky@owasp-czech-republic.cz<br />
*Dutch: marinus@kuivenhoven.com<br />
*Swedish: ake.bengtsson@owasp.org<br />
* Spanish: gerardo.canedo@owasp.org<br />
<br />
= Project Details =<br />
<br />
{{:GPC_Project_Details/OWASP_Top10 | OWASP Project Identification Tab}}<br />
<br />
= How Are Companies-Projects-Vendors Using the OWASP Top 10 =<br />
<br />
Click the links for more details on each use! <br />
<br />
'''Warning''': these articles have not been rated for accuracy by OWASP. Product companies should be extremely careful about claiming to "cover" or "ensure compliance" with the OWASP Top 10. The current state-of-the-art for automated detection (scanners and static analysis) and prevention (waf) is nowhere near sufficient to claim adequate coverage of the issues in the Top 10. Nevertheless, using the Top 10 as a simple way to communicate security to end users is effective. <br />
<br />
;[http://blogs.msdn.com/b/sdl/archive/2008/05/01/sdl-and-the-owasp-top-ten.aspx Microsoft] <br />
:as a way to measure the coverage of their SDL and improve security<br />
<br />
;[http://www.nsa.gov/applications/search/index.cfm?q=owasp NSA] <br />
:in their developer guidance on web application security<br />
<br />
;[https://www.pcisecuritystandards.org/index.shtml PCI Council] <br />
:as part of the Payment Card Industry Data Security Standard (PCI DSS)<br />
<br />
;[http://community.citrix.com/display/ocb/2010/06/02/NetScaler+Application+Firewall+and+the+OWASP+Top+10+2010 Citrix] <br />
:in a guide showing how to configure their NetScalar product<br />
<br />
;[http://msdn.microsoft.com/en-us/library/dd129898.aspx Microsoft] <br />
:to show how "T10 threats are handled by the security design and test procedures of Microsoft"<br />
<br />
;[http://www.web2py.com/examples/default/security web2py] <br />
:to demonstrate the security of this Python web framework<br />
<br />
;[http://www.owasp.org/index.php/Commentary_OWASP_Top_Ten_2004_Project Oracle] <br />
:for developer awareness<br />
<br />
;[http://www.theatremanagerhelp.com/book/export/html/1640 TheatreManager] <br />
:to show how their product is secure for web use<br />
<br />
;[http://knol.google.com/k/automated-vulnerabilty-scanners-and-the-owasp-top-10# WhiteHat] <br />
:as a way to explain the coverage of their service<br />
<br />
;[http://www.imperva.com/docs/TB_SecureSphere_OWASP_2010-Top-Ten.pdf Imperva] <br />
:to show the coverage of the SecureSphere tool<br />
<br />
;[http://blog.cenzic.com/public/item/254309 Cenzic] <br />
:to enable "focused scans for compliance testing with the updated PCI standard"<br />
<br />
== Users and Adopters ==<br />
<br />
The U.S. Federal Trade Commission strongly recommends that all companies use the OWASP Top Ten and ensure that their partners do the same. In addition, the U.S. Defense Information Systems Agency (DISA) has listed the OWASP Top Ten as key best practices that should be used as part of the DoD Information Assurance Certification and Accreditation Process ([http://iase.disa.mil/diacap/ DIACAP]). <br />
<br />
In the commercial market, the [http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_PCI_Data_Security_Standard.pdf Payment Card Industry (PCI) standard] has adopted the OWASP Top Ten, and requires (among other things) that all merchants get a security code review for all their custom code. In addition, a broad range of companies and agencies around the globe are also using the OWASP Top Ten, including: <br />
<br />
*A.G. Edwards <br />
*Bank of Newport <br />
*Best Software <br />
*British Telecom <br />
*Bureau of Alcohol, Tobacco, and Firearms (ATF) <br />
*Citibank <br />
*Cboss Internet <br />
*Cognizant <br />
*Contra Costa County, CA <br />
*Corillian Corporation <br />
*Digital Payment Technologies <br />
*Foundstone Strategic Security <br />
*HP <br />
*IBM Global Services <br />
*MorphoTrust USA<br />
*National Australia Bank <br />
*Norfolk Southern <br />
*OneSAS.com <br />
*Online Business Systems <br />
*Predictive Systems <br />
*Price Waterhouse Coopers <br />
*Recreational Equipment, Inc. (REI) <br />
*SSP Solutions <br />
*Samsung SDS (Korea) <br />
*Sempra Energy <br />
*Sprint <br />
*Sun Microsystems <br />
*Swiss Federal Institute of Technology <br />
*Symantec <br />
*Texas Dept of Human Services <br />
*The Hartford <br />
*Zapatec <br />
*ZipForm <br />
*...and many others<br />
<br />
Several schools have also adopted the OWASP Top Ten as a part of their curriculum, including Michigan State University (MSU), and the University of California at San Diego (UCSD). <br />
<br />
Several open source projects have adopted the OWASP Top Ten as part of their security audits, including: <br />
<br />
*[http://plone.org Plone open source CMS project] (managed by the Plone Foundation)<br />
<br />
<br />
= Other uses and resources =<br />
<br />
* [[OWASP_Top_10/Mapping_to_WHID | OWASP Top 10 Mapped to the Web Hacking Incident Database]]<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_Release_Quality_Document]]</div>Mohannad Shahathttps://wiki.owasp.org/index.php?title=File:OWASP_TOP_10_2013_Arabic.pdf&diff=163017File:OWASP TOP 10 2013 Arabic.pdf2013-11-11T17:19:12Z<p>Mohannad Shahat: OWASP Top 10 2013 Arabic version</p>
<hr />
<div>OWASP Top 10 2013 Arabic version</div>Mohannad Shahathttps://wiki.owasp.org/index.php?title=Category:OWASP_Top_Ten_Project&diff=162719Category:OWASP Top Ten Project2013-11-06T17:13:57Z<p>Mohannad Shahat: </p>
<hr />
<div>{{OWASP Book|1400974}} <br />
<br />
{{Social Media Links}}<br />
<br />
= OWASP Top 10 for 2013 =<br />
<br />
'''Welcome to the OWASP Top Ten Project''' - if you're looking for the OWASP Top 10 Mobile [[OWASP_Mobile_Security_Project#tab=Top_Ten_Mobile_Risks | Click Here]]<br />
<br />
On June 12, 2013 the OWASP Top 10 for 2013 was officially released. This version was updated based on numerous comments received during the comment period after the release candidate was released in Feb. 2013.<br />
<br />
* [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf OWASP Top 10 2013 document (PDF)].<br />
* [[Top_10_2013 | OWASP Top 10 2013 - Wiki.]]<br />
* [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013%20-%20French.pdf OWASP Top 10 2013 - French (PDF)].<br />
* [https://www.owasp.org/images/5/51/OWASP_Top_10_2013-Chinese-V1.2.pdf OWASP Top 10 2013 - Chinese (PDF)].<br />
* [https://www.owasp.org/images/2/2c/OWASP_Top_10_-_2013_Final_-_Korean.pdf OWASP Top 10 2013 - Korea (PDF)].<br />
* [http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2013_Brazilian_Portuguese.pdf OWASP Top 10 2013 - Brazilian Portuguese (PDF)].<br />
* [https://www.owasp.org/images/7/79/OWASP_Top_10_2013_JPN.pdf OWASP Top 10 2013 - Japanese (PDF)].<br />
* [http://owasptop10.googlecode.com/files/OWASP_Top-10_2013%20-%20Changes-from-2010.pptx OWASP Top 10 2013 Presentation - Focusing on What Changed Since 2010 (PPTX)]<br />
* [http://owasptop10.googlecode.com/files/OWASP_Top-10_2013%20-%20Presentation.pptx OWASP Top 10 2013 Presentation - Presenting Each Item in the Top 10 (PPTX)].<br />
<br />
<br />
The OWASP Top 10 - 2013 is as follows:<br />
<br />
* [[Top_10_2013-A1-Injection | A1 Injection]]<br />
* [[Top_10_2013-A2-Broken_Authentication_and_Session_Management | A2 Broken Authentication and Session Management]]<br />
* [[Top_10_2013-A3-Cross-Site_Scripting_(XSS) | A3 Cross-Site Scripting (XSS)]]<br />
* [[Top_10_2013-A4-Insecure_Direct_Object_References | A4 Insecure Direct Object References]]<br />
* [[Top_10_2013-A5-Security_Misconfiguration | A5 Security Misconfiguration]]<br />
* [[Top_10_2013-A6-Sensitive_Data_Exposure | A6 Sensitive Data Exposure]]<br />
* [[Top_10_2013-A7-Missing_Function_Level_Access_Control | A7 Missing Function Level Access Control]]<br />
* [[Top_10_2013-A8-Cross-Site_Request_Forgery_(CSRF) | A8 Cross-Site Request Forgery (CSRF)]]<br />
* [[Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities | A9 Using Components with Known Vulnerabilities]]<br />
* [[Top_10_2013-A10-Unvalidated_Redirects_and_Forwards | A10 Unvalidated Redirects and Forwards]]<br />
<br />
If you are interested, the methodology for how the Top 10 is produced is now documented here: [[Top_10_2013/ProjectMethodology | OWASP Top 10 Development Methodology]]<br />
<br />
Please help us make sure every developer in the ENTIRE WORLD knows about the OWASP Top 10 by helping to spread the word!!! <br />
<br />
As you help us spread the word, please emphasize: <br />
<br />
*OWASP is reaching out to developers, not just the application security community <br />
*The Top 10 is about managing risk, not just avoiding vulnerabilities <br />
*To manage these risks, organizations need an application risk management program, not just awareness training, app testing, and remediation<br />
<br />
We need to encourage organizations to get off the penetrate and patch mentality. As Jeff Williams said in his 2009 OWASP AppSec DC Keynote: “we’ll never hack our way secure – it’s going to take a culture change” for organizations to properly address application security.<br />
<br />
== Introduction ==<br />
<br />
The OWASP Top Ten provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. Versions of the 2007 and 2010 version were translated into English, French, Spanish, Japanese, Korean and Turkish and other languages. Translation efforts for the 2013 version are underway and they will be posted as they become available. <br />
<br />
We urge all companies to adopt this awareness document within their organization and start the process of ensuring that their web applications do not contain these flaws. Adopting the OWASP Top Ten is perhaps the most effective first step towards changing the software development culture within your organization into one that produces secure code.<br />
<br />
== Changes between 2010 and 2013 Editions ==<br />
<br />
The OWASP Top 10 - 2013 includes the following changes as compared to the 2010 edition:<br />
<br />
* A1 Injection<br />
* A2 Broken Authentication and Session Management (was formerly 2010-A3)<br />
* A3 Cross-Site Scripting (XSS) (was formerly 2010-A2)<br />
* A4 Insecure Direct Object References<br />
* A5 Security Misconfiguration (was formerly 2010-A6)<br />
* A6 Sensitive Data Exposure (2010-A7 Insecure Cryptographic Storage and 2010-A9 Insufficient Transport Layer Protection were merged to form 2013-A6)<br />
* A7 Missing Function Level Access Control (renamed/broadened from 2010-A8 Failure to Restrict URL Access)<br />
* A8 Cross-Site Request Forgery (CSRF) (was formerly 2010-A5)<br />
* A9 Using Components with Known Vulnerabilities (new but was part of 2010-A6 – Security Misconfiguration)<br />
* A10 Unvalidated Redirects and Forwards<br />
<br />
== 2013 Versions ==<br />
<br />
2013 Edition: <br />
<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf OWASP Top 10 2013 - PDF] <br />
*[[Top_10_2013 | OWASP Top 10 2013 - wiki]]<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013%20-%20French.pdf OWASP Top 10 2013 - French (PDF)].<br />
*[https://www.owasp.org/images/5/51/OWASP_Top_10_2013-Chinese-V1.2.pdf OWASP Top 10 2013 - Chinese (PDF)].<br />
*[https://www.owasp.org/images/2/2c/OWASP_Top_10_-_2013_Final_-_Korean.pdf OWASP Top 10 2013 - Korea (PDF)].<br />
*[http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2013_Brazilian_Portuguese.pdf OWASP Top 10 2013 - Brazilian Portuguese (PDF)].<br />
*[https://www.owasp.org/images/7/79/OWASP_Top_10_2013_JPN.pdf OWASP Top 10 2013 - Japanese (PDF)].<br />
<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013%20-%20RC1.pdf OWASP Top 10 - 2013 - Release Candidate]<br />
*[https://www.owasp.org/images/3/3d/OWASP_Top_10_-_2013_Final_Release_-_Change_Log.docx OWASP Top 10 - 2013 - Final Release - Change Log (docx)]<br />
<br />
== Feedback ==<br />
<br />
Please let us know how your organization is using the Top Ten. Include your name, organization's name, and brief description of how you use the list. Thanks for supporting OWASP! <br />
<br />
We hope you find the information in the OWASP Top Ten useful. Please contribute back to the project by sending your comments, questions, and suggestions to topten@lists.owasp.org Thanks! <br />
<br />
To join the OWASP Top Ten mailing list or view the archives, please visit the [http://lists.owasp.org/mailman/listinfo/owasp-topten subscription page.] <br />
<br />
== Project Sponsors ==<br />
<br />
The OWASP Top Ten project is sponsored by {{MemberLinks|link=http://www.aspectsecurity.com|logo=Aspect_logo_owasp.jpg}}<br />
<br />
<!-- ==== Project Identification ====<br />
{{Template:OWASP OWASP_Top10 Project}} --><br />
<br />
= OWASP Top 10 for 2010 =<br />
<br />
On April 19, 2010 the final version of the OWASP Top 10 for 2010 was released, and here is the associated [[OWASPTop10-2010-PressRelease|press release]]. This version was updated based on numerous comments received during the comment period after the release candidate was released in Nov. 2009. <br />
<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 - 2010 Document] <br />
*[[Top 10 2010|OWASP Top 10 - 2010 - wiki]] <br />
*[http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx OWASP Top 10 - 2010 Presentation]<br />
*[http://blip.tv/owasp-appsec-conference-in-europe/day2_track1_1430-1505-3936900 OWASP Top 10 Video of the Presentation above - this focused alot on the Top 10 for 2010 approach, rather than the details. (From OWASP AppSec EU 2010)]<br />
*[http://www.vimeo.com/9006276 OWASP Top 10 Video of this Presentation when the Top 10 for 2010 was 1st released for comment - this goes through each item in the Top 10. (From OWASP AppSec DC 2009)]<br />
<br />
The OWASP Top 10 Web Application Security Risks for 2010 are: <br />
<br />
*[[Top_10_2010-A1|A1: Injection]]<br />
*[[Top_10_2010-A2|A2: Cross-Site Scripting (XSS)]]<br />
*[[Top_10_2010-A3|A3: Broken Authentication and Session Management]]<br />
*[[Top_10_2010-A4|A4: Insecure Direct Object References]]<br />
*[[Top_10_2010-A5|A5: Cross-Site Request Forgery (CSRF)]]<br />
*[[Top_10_2010-A6|A6: Security Misconfiguration]]<br />
*[[Top_10_2010-A7|A7: Insecure Cryptographic Storage]]<br />
*[[Top_10_2010-A8|A8: Failure to Restrict URL Access]]<br />
*[[Top_10_2010-A9|A9: Insufficient Transport Layer Protection]]<br />
*[[Top_10_2010-A10|A10: Unvalidated Redirects and Forwards]]<br />
<br />
== Introduction ==<br />
<br />
The OWASP Top Ten provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. Versions of the 2007 were translated into English, French, Spanish, Japanese, Korean and Turkish and other languages and the 2010 version was translated into even more languages. See below for all the translated versions.<br />
<br />
== 2010 Versions ==<br />
<br />
2010 Edition: <br />
<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 2010 - PDF] <br />
*[[Top 10 2010|OWASP Top 10 2010 - wiki]]<br />
<br />
2010 Translations: <br />
<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20French.pdf OWASP Top 10 2010 - French PDF] <br />
*[https://www.owasp.org/images/b/b8/OWASPTop10_DE_Version_1_0.pdf OWASP Top 10 2010 - German PDF]<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Indonesian.pdf OWASP Top 10 2010 - Indonesian PDF]<br />
*[http://www.owasp.org/images/f/f9/OWASP_Top_10_-_2010_ITA.pdf OWASP Top 10 2010 - Italian PDF]<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Japanese-A4.pdf OWASP Top 10 2010 - Japanese PDF]<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Korean.pdf OWASP Top 10 2010 - Korean PDF]<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Spanish.pdf OWASP Top 10 2010 - Spanish PDF]<br />
*[http://www.owasp.org/images/8/86/OWASP_Top_10_-_2010_FINAL_%28spanish%29.pptx OWASP Top 10 2010 - Spanish PPT]<br />
*[http://www.owasp.org/images/a/a9/OWASP_Top_10_2010_Chinese_V1.0_Released.pdf OWASP Top 10 2010 - Chinese PDF / 这里下载PDF格式文档]<br />
*[http://owasptop10.googlecode.com/files/OWASPTop%2010%20-%202010%20Vietnamese.pdf OWASP Top 10 2010 - Vietnamese PDF]<br />
*[https://www.owasp.org/images/c/cd/OWASP_Top_10_Heb.pdf OWASP Top 10 2010 - Hebrew PDF]<br />
<br />
2010 Release Candidate: <br />
<br />
*[http://www.owasp.org/index.php/File:OWASP_T10_-_2010_rc1.pdf OWASP Top 10 2010 Release Candidate] <br />
*[http://www.owasp.org/images/e/e1/OWASP_Top_10_RC-Public_Comments.docx OWASP Top 10 2010 Release Candidate Comments], except for one set of scanned comments [http://www.owasp.org/images/2/2e/OWASP_T10_-_2010_rc1_cmts_Kai_Jendrian.pdf which are here].<br />
<br />
Previous versions: <br />
<br />
*[http://www.owasp.org/images/e/e8/OWASP_Top_10_2007.pdf OWASP Top 10 2007 - PDF] <br />
*[[Top 10 2007|OWASP Top 10 2007 - wiki]] <br />
*[http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project#tab=Project_Details OWASP Top 10 2007 - PDF Translations are here] <br />
*[[Top 10 2004|OWASP Top 10 2004 - wiki]]<br />
<br />
<br />
= Translation Efforts =<br />
<br />
Efforts are underway in numerous languages to translate the OWASP Top 10 for 2013. If you are interested in helping, please contact the other members of the team for the language you are interested in contributing to, or if you don't see your language listed, please let me know you want to help and we'll form a volunteer group for your language too!!<br />
<br />
Here is the original source document for the [https://www.owasp.org/images/4/4d/OWASP_Top_10_-_2013_Final_-_English.pptx OWASP Top 10 - 2013 which is in PowerPoint]. Please use this document as the basis for your translation efforts.<br />
<br />
Completed Translations:<br />
<br />
*French 2013: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013%20-%20French.pdf OWASP Top 10 2013 - French PDF] Ludovic Petit: Ludovic.Petit@owasp.org, Sébastien Gioria: Sebastien.Gioria@owasp.org, Erwan Abgrall: g4l4drim@gmail.com, Benjamin Avet: benjamin.avet@gmail.com, Jocelyn Aubert: jocelyn.aubert@owasp.org, Damien Azambour: damien.azambourg@owasp.org, Aline Barthelemy: aline.barthelemy@fr.abb.com, Moulay Abdsamad Belghiti: abdsamad.belghiti@gmail.com, Gregory Blanc: gregory.blanc@gmail.com, Clément Capel: clement.capel@sfr.com, Etienne Capgras: Etienne.capgras@solucom.fr, Julien Cayssol: julien@aqwz.com, Antonio Fontes: antonio.fontes@owasp.org, Ely de Travieso: Ely.detravieso@owasp.org, Nicolas Grégoire: nicolas.gregoire@agarri.fr, Valérie Lasserre: valerie.lasserre@gmx.fr, Antoine Laureau: antoine.laureau@owasp.org, Guillaume Lopes: lopes.guillaume@free.fr, Gilles Morain: gilles.morain@gmail.com, Christophe Pekar: christophe.pekar@owasp.org, Olivier Perret: perrets@free.fr, Michel Prunet: michel.prunet@owasp.org, Olivier Revollat: revollat@gmail.com, Aymeric Tabourin: aymeric.tabourin@orange.com<br />
*Brazilian Portuguese 2013: [http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2013_Brazilian_Portuguese.pdf OWASP Top 10 2013 - Brazilian Portuguese (PDF)] Translated by: Carlos Serrão, Marcio Machry, Ícaro Evangelista de Torres, Carlo Marcelo Revoredo da Silva, Luiz Vieira, Suely Ramalho de Mello, Jorge Olímpia, Daniel Quintão, Mauro Risonho de Paula Assumpção, Marcelo Lopes, Caio Dias, Rodrigo Gularte<br />
*French 2010: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20French.pdf OWASP Top 10 2010 - French PDF] ludovic.petit@owasp.org, sebastien.gioria@owasp.org, antonio.fontes@owasp.org, benoit.guerette@owasp.org, Jocelyn.aubert@owasp.org, Eric.Garreau@gemalto.com, Guillaume.Huysmans@gemalto.com <br />
*German: [https://www.owasp.org/images/b/b8/OWASPTop10_DE_Version_1_0.pdf OWASP Top 10 - German PDF] top10@owasp.de which is Frank Dölitzscher, Torsten Gigler, Tobias Glemser, Dr. Ingo Hanke, Thomas Herzog, [[User:Kai_Jendrian|Kai Jendrian]], [[User:Ralf_Reinhardt|Ralf Reinhardt]], Michael Schäfer<br />
*Indonesian: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Indonesian.pdf OWASP Top 10 2010 - Indonesian PDF] Tedi Heriyanto (coordinator), Lathifah Arief, Tri A Sundara, Zaki Akhmad<br />
*Italian: [http://www.owasp.org/images/f/f9/OWASP_Top_10_-_2010_ITA.pdf OWASP Top 10 2010 - Italian PDF] Simone Onofri, Paolo Perego, Massimo Biagiotti, Edoardo Viscosi, Salvatore Fiorillo, Roberto Battistoni, Loredana Mancini, Michele Nesta, Paco Schiaffella, Lucilla Mancini, Gerardo Di Giacomo, Valentino Squilloni<br />
*Japanese: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Japanese-A4.pdf OWASP Top 10 2010 - Japanese PDF] cecil.su@owasp.org, Dr. Masayuki Hisada, Yoshimasa Kawamoto, Ryusuke Sakamoto, Keisuke Seki, Shin Umemoto, Takashi Arima<br />
*Korean 2013: [https://www.owasp.org/images/2/2c/OWASP_Top_10_-_2013_Final_-_Korean.pdf OWASP Top 10 2013 - Korean PDF] (이름가나다순) 김병효:byounghyo.kim@owasp.org, 김지원:jiwon.kim@owasp.or.kr, 김효근:katuri@katuri.kr, 박정훈:xelion@gmail.com, 성영모:youngmo.seong@owasp.or.kr, 성윤기:yune.sung@owasp.org, 송보영:boyoung.song@owasp.or.kr, 송창기:factor7@naver.com, 유정호:griphis77@gmail.com, 장상민:sangmin.jang@owasp.or.kr, 전영재:youngjae.jeon@owasp.org, 정가람:tgcarrot@gmail.com, 정홍순:jhs728@gmail.com, 조민재:johnny.cho@owasp.org,허성무:issimplenet@gmail.com<br />
*Korean 2010: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Korean.pdf OWASP Top 10 2010 - Korean PDF] Hyungkeun Park, (mirrk1@gmail.com)<br />
*Spanish: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Spanish.pdf OWASP Top 10 2010 - Spanish PDF] *Daniel Cabezas Molina , Edgar Sanchez, Juan Carlos Calderon, Jose Antonio Guasch, Paulo Coronado, Rodrigo Marcos, Vicente Aguilera<br />
*Chinese: [http://www.owasp.org/images/a/a9/OWASP_Top_10_2010_Chinese_V1.0_Released.pdf OWASP Top 10 2010 - Chinese PDF] 感谢以下为中文版本做出贡献的翻译人员和审核人员: Rip Torn, 钟卫林, 高雯, 王颉, 于振东<br />
*Vietnamese: [http://owasptop10.googlecode.com/files/OWASPTop%2010%20-%202010%20Vietnamese.pdf OWASP Top 10 2010 - Vietnamese PDF] (NEW) Translation lead by Cecil Su - Translation Team: Dang Hoang Vu, Nguyen Ba Tien, Nguyen Tang Hung, Luong Dieu Phuong, Huynh Thien Tam<br />
*Hebrew (New): [[OWASP_Top10_Hebrew|OWASP Top 10 Hebrew]]. Lead by Or Katz, see translation page for list of contributors.<br />
<br />
Volunteer Translation Efforts Underway: <br />
<br />
*Portuguese: carlos.j.serrao@gmail.com; taquiles@gmail.com; wagner.elias@owasp.org; victoreufrasio@gmail.com; leo.cavallari@owasp.org; victoreufrasio@gmail.com; <br />
*Greek: Konstantinos Papapanagiotou (conpap@di.uoa.gr) <br />
*Turkish: bora@abi.com.tr <br />
*Malay: cecil.su@owasp.org <br />
*Czech: petr.zavodsky@owasp-czech-republic.cz<br />
*Dutch: marinus@kuivenhoven.com<br />
*Arabic: Mohannad Shahat: Mohannad.Shahat@owasp.org, Fahad: @SecurityArk, Abdulellah Alsaheel: cs.saheel@gmail.com, Khalifa Alshamsi: Khs1618@gmail.com and Sabri(KING SABRI): king.sabri@gmail.com<br />
*Swedish: ake.bengtsson@owasp.org<br />
* Spanish: gerardo.canedo@owasp.org<br />
<br />
= Project Details =<br />
<br />
{{:GPC_Project_Details/OWASP_Top10 | OWASP Project Identification Tab}}<br />
<br />
= How Are Companies-Projects-Vendors Using the OWASP Top 10 =<br />
<br />
Click the links for more details on each use! <br />
<br />
'''Warning''': these articles have not been rated for accuracy by OWASP. Product companies should be extremely careful about claiming to "cover" or "ensure compliance" with the OWASP Top 10. The current state-of-the-art for automated detection (scanners and static analysis) and prevention (waf) is nowhere near sufficient to claim adequate coverage of the issues in the Top 10. Nevertheless, using the Top 10 as a simple way to communicate security to end users is effective. <br />
<br />
;[http://blogs.msdn.com/b/sdl/archive/2008/05/01/sdl-and-the-owasp-top-ten.aspx Microsoft] <br />
:as a way to measure the coverage of their SDL and improve security<br />
<br />
;[http://www.nsa.gov/applications/search/index.cfm?q=owasp NSA] <br />
:in their developer guidance on web application security<br />
<br />
;[https://www.pcisecuritystandards.org/index.shtml PCI Council] <br />
:as part of the Payment Card Industry Data Security Standard (PCI DSS)<br />
<br />
;[http://community.citrix.com/display/ocb/2010/06/02/NetScaler+Application+Firewall+and+the+OWASP+Top+10+2010 Citrix] <br />
:in a guide showing how to configure their NetScalar product<br />
<br />
;[http://msdn.microsoft.com/en-us/library/dd129898.aspx Microsoft] <br />
:to show how "T10 threats are handled by the security design and test procedures of Microsoft"<br />
<br />
;[http://www.web2py.com/examples/default/security web2py] <br />
:to demonstrate the security of this Python web framework<br />
<br />
;[http://www.owasp.org/index.php/Commentary_OWASP_Top_Ten_2004_Project Oracle] <br />
:for developer awareness<br />
<br />
;[http://www.theatremanagerhelp.com/book/export/html/1640 TheatreManager] <br />
:to show how their product is secure for web use<br />
<br />
;[http://knol.google.com/k/automated-vulnerabilty-scanners-and-the-owasp-top-10# WhiteHat] <br />
:as a way to explain the coverage of their service<br />
<br />
;[http://www.imperva.com/docs/TB_SecureSphere_OWASP_2010-Top-Ten.pdf Imperva] <br />
:to show the coverage of the SecureSphere tool<br />
<br />
;[http://blog.cenzic.com/public/item/254309 Cenzic] <br />
:to enable "focused scans for compliance testing with the updated PCI standard"<br />
<br />
== Users and Adopters ==<br />
<br />
The U.S. Federal Trade Commission strongly recommends that all companies use the OWASP Top Ten and ensure that their partners do the same. In addition, the U.S. Defense Information Systems Agency (DISA) has listed the OWASP Top Ten as key best practices that should be used as part of the DoD Information Assurance Certification and Accreditation Process ([http://iase.disa.mil/diacap/ DIACAP]). <br />
<br />
In the commercial market, the [http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_PCI_Data_Security_Standard.pdf Payment Card Industry (PCI) standard] has adopted the OWASP Top Ten, and requires (among other things) that all merchants get a security code review for all their custom code. In addition, a broad range of companies and agencies around the globe are also using the OWASP Top Ten, including: <br />
<br />
*A.G. Edwards <br />
*Bank of Newport <br />
*Best Software <br />
*British Telecom <br />
*Bureau of Alcohol, Tobacco, and Firearms (ATF) <br />
*Citibank <br />
*Cboss Internet <br />
*Cognizant <br />
*Contra Costa County, CA <br />
*Corillian Corporation <br />
*Digital Payment Technologies <br />
*Foundstone Strategic Security <br />
*HP <br />
*IBM Global Services <br />
*MorphoTrust USA<br />
*National Australia Bank <br />
*Norfolk Southern <br />
*OneSAS.com <br />
*Online Business Systems <br />
*Predictive Systems <br />
*Price Waterhouse Coopers <br />
*Recreational Equipment, Inc. (REI) <br />
*SSP Solutions <br />
*Samsung SDS (Korea) <br />
*Sempra Energy <br />
*Sprint <br />
*Sun Microsystems <br />
*Swiss Federal Institute of Technology <br />
*Symantec <br />
*Texas Dept of Human Services <br />
*The Hartford <br />
*Zapatec <br />
*ZipForm <br />
*...and many others<br />
<br />
Several schools have also adopted the OWASP Top Ten as a part of their curriculum, including Michigan State University (MSU), and the University of California at San Diego (UCSD). <br />
<br />
Several open source projects have adopted the OWASP Top Ten as part of their security audits, including: <br />
<br />
*[http://plone.org Plone open source CMS project] (managed by the Plone Foundation)<br />
<br />
<br />
= Other uses and resources =<br />
<br />
* [[OWASP_Top_10/Mapping_to_WHID | OWASP Top 10 Mapped to the Web Hacking Incident Database]]<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_Release_Quality_Document]]</div>Mohannad Shahathttps://wiki.owasp.org/index.php?title=Category:OWASP_Top_Ten_Project&diff=162706Category:OWASP Top Ten Project2013-11-06T16:28:03Z<p>Mohannad Shahat: </p>
<hr />
<div>{{OWASP Book|1400974}} <br />
<br />
{{Social Media Links}}<br />
<br />
= OWASP Top 10 for 2013 =<br />
<br />
'''Welcome to the OWASP Top Ten Project''' - if you're looking for the OWASP Top 10 Mobile [[OWASP_Mobile_Security_Project#tab=Top_Ten_Mobile_Risks | Click Here]]<br />
<br />
On June 12, 2013 the OWASP Top 10 for 2013 was officially released. This version was updated based on numerous comments received during the comment period after the release candidate was released in Feb. 2013.<br />
<br />
* [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf OWASP Top 10 2013 document (PDF)].<br />
* [[Top_10_2013 | OWASP Top 10 2013 - Wiki.]]<br />
* [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013%20-%20French.pdf OWASP Top 10 2013 - French (PDF)].<br />
* [https://www.owasp.org/images/5/51/OWASP_Top_10_2013-Chinese-V1.2.pdf OWASP Top 10 2013 - Chinese (PDF)].<br />
* [https://www.owasp.org/images/2/2c/OWASP_Top_10_-_2013_Final_-_Korean.pdf OWASP Top 10 2013 - Korea (PDF)].<br />
* [http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2013_Brazilian_Portuguese.pdf OWASP Top 10 2013 - Brazilian Portuguese (PDF)].<br />
* [https://www.owasp.org/images/7/79/OWASP_Top_10_2013_JPN.pdf OWASP Top 10 2013 - Japanese (PDF)].<br />
* [http://owasptop10.googlecode.com/files/OWASP_Top-10_2013%20-%20Changes-from-2010.pptx OWASP Top 10 2013 Presentation - Focusing on What Changed Since 2010 (PPTX)]<br />
* [http://owasptop10.googlecode.com/files/OWASP_Top-10_2013%20-%20Presentation.pptx OWASP Top 10 2013 Presentation - Presenting Each Item in the Top 10 (PPTX)].<br />
<br />
<br />
The OWASP Top 10 - 2013 is as follows:<br />
<br />
* [[Top_10_2013-A1-Injection | A1 Injection]]<br />
* [[Top_10_2013-A2-Broken_Authentication_and_Session_Management | A2 Broken Authentication and Session Management]]<br />
* [[Top_10_2013-A3-Cross-Site_Scripting_(XSS) | A3 Cross-Site Scripting (XSS)]]<br />
* [[Top_10_2013-A4-Insecure_Direct_Object_References | A4 Insecure Direct Object References]]<br />
* [[Top_10_2013-A5-Security_Misconfiguration | A5 Security Misconfiguration]]<br />
* [[Top_10_2013-A6-Sensitive_Data_Exposure | A6 Sensitive Data Exposure]]<br />
* [[Top_10_2013-A7-Missing_Function_Level_Access_Control | A7 Missing Function Level Access Control]]<br />
* [[Top_10_2013-A8-Cross-Site_Request_Forgery_(CSRF) | A8 Cross-Site Request Forgery (CSRF)]]<br />
* [[Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities | A9 Using Components with Known Vulnerabilities]]<br />
* [[Top_10_2013-A10-Unvalidated_Redirects_and_Forwards | A10 Unvalidated Redirects and Forwards]]<br />
<br />
If you are interested, the methodology for how the Top 10 is produced is now documented here: [[Top_10_2013/ProjectMethodology | OWASP Top 10 Development Methodology]]<br />
<br />
Please help us make sure every developer in the ENTIRE WORLD knows about the OWASP Top 10 by helping to spread the word!!! <br />
<br />
As you help us spread the word, please emphasize: <br />
<br />
*OWASP is reaching out to developers, not just the application security community <br />
*The Top 10 is about managing risk, not just avoiding vulnerabilities <br />
*To manage these risks, organizations need an application risk management program, not just awareness training, app testing, and remediation<br />
<br />
We need to encourage organizations to get off the penetrate and patch mentality. As Jeff Williams said in his 2009 OWASP AppSec DC Keynote: “we’ll never hack our way secure – it’s going to take a culture change” for organizations to properly address application security.<br />
<br />
== Introduction ==<br />
<br />
The OWASP Top Ten provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. Versions of the 2007 and 2010 version were translated into English, French, Spanish, Japanese, Korean and Turkish and other languages. Translation efforts for the 2013 version are underway and they will be posted as they become available. <br />
<br />
We urge all companies to adopt this awareness document within their organization and start the process of ensuring that their web applications do not contain these flaws. Adopting the OWASP Top Ten is perhaps the most effective first step towards changing the software development culture within your organization into one that produces secure code.<br />
<br />
== Changes between 2010 and 2013 Editions ==<br />
<br />
The OWASP Top 10 - 2013 includes the following changes as compared to the 2010 edition:<br />
<br />
* A1 Injection<br />
* A2 Broken Authentication and Session Management (was formerly 2010-A3)<br />
* A3 Cross-Site Scripting (XSS) (was formerly 2010-A2)<br />
* A4 Insecure Direct Object References<br />
* A5 Security Misconfiguration (was formerly 2010-A6)<br />
* A6 Sensitive Data Exposure (2010-A7 Insecure Cryptographic Storage and 2010-A9 Insufficient Transport Layer Protection were merged to form 2013-A6)<br />
* A7 Missing Function Level Access Control (renamed/broadened from 2010-A8 Failure to Restrict URL Access)<br />
* A8 Cross-Site Request Forgery (CSRF) (was formerly 2010-A5)<br />
* A9 Using Components with Known Vulnerabilities (new but was part of 2010-A6 – Security Misconfiguration)<br />
* A10 Unvalidated Redirects and Forwards<br />
<br />
== 2013 Versions ==<br />
<br />
2013 Edition: <br />
<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf OWASP Top 10 2013 - PDF] <br />
*[[Top_10_2013 | OWASP Top 10 2013 - wiki]]<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013%20-%20French.pdf OWASP Top 10 2013 - French (PDF)].<br />
*[https://www.owasp.org/images/5/51/OWASP_Top_10_2013-Chinese-V1.2.pdf OWASP Top 10 2013 - Chinese (PDF)].<br />
*[https://www.owasp.org/images/2/2c/OWASP_Top_10_-_2013_Final_-_Korean.pdf OWASP Top 10 2013 - Korea (PDF)].<br />
*[http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2013_Brazilian_Portuguese.pdf OWASP Top 10 2013 - Brazilian Portuguese (PDF)].<br />
*[https://www.owasp.org/images/7/79/OWASP_Top_10_2013_JPN.pdf OWASP Top 10 2013 - Japanese (PDF)].<br />
<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013%20-%20RC1.pdf OWASP Top 10 - 2013 - Release Candidate]<br />
*[https://www.owasp.org/images/3/3d/OWASP_Top_10_-_2013_Final_Release_-_Change_Log.docx OWASP Top 10 - 2013 - Final Release - Change Log (docx)]<br />
<br />
== Feedback ==<br />
<br />
Please let us know how your organization is using the Top Ten. Include your name, organization's name, and brief description of how you use the list. Thanks for supporting OWASP! <br />
<br />
We hope you find the information in the OWASP Top Ten useful. Please contribute back to the project by sending your comments, questions, and suggestions to topten@lists.owasp.org Thanks! <br />
<br />
To join the OWASP Top Ten mailing list or view the archives, please visit the [http://lists.owasp.org/mailman/listinfo/owasp-topten subscription page.] <br />
<br />
== Project Sponsors ==<br />
<br />
The OWASP Top Ten project is sponsored by {{MemberLinks|link=http://www.aspectsecurity.com|logo=Aspect_logo_owasp.jpg}}<br />
<br />
<!-- ==== Project Identification ====<br />
{{Template:OWASP OWASP_Top10 Project}} --><br />
<br />
= OWASP Top 10 for 2010 =<br />
<br />
On April 19, 2010 the final version of the OWASP Top 10 for 2010 was released, and here is the associated [[OWASPTop10-2010-PressRelease|press release]]. This version was updated based on numerous comments received during the comment period after the release candidate was released in Nov. 2009. <br />
<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 - 2010 Document] <br />
*[[Top 10 2010|OWASP Top 10 - 2010 - wiki]] <br />
*[http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx OWASP Top 10 - 2010 Presentation]<br />
*[http://blip.tv/owasp-appsec-conference-in-europe/day2_track1_1430-1505-3936900 OWASP Top 10 Video of the Presentation above - this focused alot on the Top 10 for 2010 approach, rather than the details. (From OWASP AppSec EU 2010)]<br />
*[http://www.vimeo.com/9006276 OWASP Top 10 Video of this Presentation when the Top 10 for 2010 was 1st released for comment - this goes through each item in the Top 10. (From OWASP AppSec DC 2009)]<br />
<br />
The OWASP Top 10 Web Application Security Risks for 2010 are: <br />
<br />
*[[Top_10_2010-A1|A1: Injection]]<br />
*[[Top_10_2010-A2|A2: Cross-Site Scripting (XSS)]]<br />
*[[Top_10_2010-A3|A3: Broken Authentication and Session Management]]<br />
*[[Top_10_2010-A4|A4: Insecure Direct Object References]]<br />
*[[Top_10_2010-A5|A5: Cross-Site Request Forgery (CSRF)]]<br />
*[[Top_10_2010-A6|A6: Security Misconfiguration]]<br />
*[[Top_10_2010-A7|A7: Insecure Cryptographic Storage]]<br />
*[[Top_10_2010-A8|A8: Failure to Restrict URL Access]]<br />
*[[Top_10_2010-A9|A9: Insufficient Transport Layer Protection]]<br />
*[[Top_10_2010-A10|A10: Unvalidated Redirects and Forwards]]<br />
<br />
== Introduction ==<br />
<br />
The OWASP Top Ten provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. Versions of the 2007 were translated into English, French, Spanish, Japanese, Korean and Turkish and other languages and the 2010 version was translated into even more languages. See below for all the translated versions.<br />
<br />
== 2010 Versions ==<br />
<br />
2010 Edition: <br />
<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 2010 - PDF] <br />
*[[Top 10 2010|OWASP Top 10 2010 - wiki]]<br />
<br />
2010 Translations: <br />
<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20French.pdf OWASP Top 10 2010 - French PDF] <br />
*[https://www.owasp.org/images/b/b8/OWASPTop10_DE_Version_1_0.pdf OWASP Top 10 2010 - German PDF]<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Indonesian.pdf OWASP Top 10 2010 - Indonesian PDF]<br />
*[http://www.owasp.org/images/f/f9/OWASP_Top_10_-_2010_ITA.pdf OWASP Top 10 2010 - Italian PDF]<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Japanese-A4.pdf OWASP Top 10 2010 - Japanese PDF]<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Korean.pdf OWASP Top 10 2010 - Korean PDF]<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Spanish.pdf OWASP Top 10 2010 - Spanish PDF]<br />
*[http://www.owasp.org/images/8/86/OWASP_Top_10_-_2010_FINAL_%28spanish%29.pptx OWASP Top 10 2010 - Spanish PPT]<br />
*[http://www.owasp.org/images/a/a9/OWASP_Top_10_2010_Chinese_V1.0_Released.pdf OWASP Top 10 2010 - Chinese PDF / 这里下载PDF格式文档]<br />
*[http://owasptop10.googlecode.com/files/OWASPTop%2010%20-%202010%20Vietnamese.pdf OWASP Top 10 2010 - Vietnamese PDF]<br />
*[https://www.owasp.org/images/c/cd/OWASP_Top_10_Heb.pdf OWASP Top 10 2010 - Hebrew PDF]<br />
<br />
2010 Release Candidate: <br />
<br />
*[http://www.owasp.org/index.php/File:OWASP_T10_-_2010_rc1.pdf OWASP Top 10 2010 Release Candidate] <br />
*[http://www.owasp.org/images/e/e1/OWASP_Top_10_RC-Public_Comments.docx OWASP Top 10 2010 Release Candidate Comments], except for one set of scanned comments [http://www.owasp.org/images/2/2e/OWASP_T10_-_2010_rc1_cmts_Kai_Jendrian.pdf which are here].<br />
<br />
Previous versions: <br />
<br />
*[http://www.owasp.org/images/e/e8/OWASP_Top_10_2007.pdf OWASP Top 10 2007 - PDF] <br />
*[[Top 10 2007|OWASP Top 10 2007 - wiki]] <br />
*[http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project#tab=Project_Details OWASP Top 10 2007 - PDF Translations are here] <br />
*[[Top 10 2004|OWASP Top 10 2004 - wiki]]<br />
<br />
<br />
= Translation Efforts =<br />
<br />
Efforts are underway in numerous languages to translate the OWASP Top 10 for 2013. If you are interested in helping, please contact the other members of the team for the language you are interested in contributing to, or if you don't see your language listed, please let me know you want to help and we'll form a volunteer group for your language too!!<br />
<br />
Here is the original source document for the [https://www.owasp.org/images/4/4d/OWASP_Top_10_-_2013_Final_-_English.pptx OWASP Top 10 - 2013 which is in PowerPoint]. Please use this document as the basis for your translation efforts.<br />
<br />
Completed Translations:<br />
<br />
*French 2013: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013%20-%20French.pdf OWASP Top 10 2013 - French PDF] Ludovic Petit: Ludovic.Petit@owasp.org, Sébastien Gioria: Sebastien.Gioria@owasp.org, Erwan Abgrall: g4l4drim@gmail.com, Benjamin Avet: benjamin.avet@gmail.com, Jocelyn Aubert: jocelyn.aubert@owasp.org, Damien Azambour: damien.azambourg@owasp.org, Aline Barthelemy: aline.barthelemy@fr.abb.com, Moulay Abdsamad Belghiti: abdsamad.belghiti@gmail.com, Gregory Blanc: gregory.blanc@gmail.com, Clément Capel: clement.capel@sfr.com, Etienne Capgras: Etienne.capgras@solucom.fr, Julien Cayssol: julien@aqwz.com, Antonio Fontes: antonio.fontes@owasp.org, Ely de Travieso: Ely.detravieso@owasp.org, Nicolas Grégoire: nicolas.gregoire@agarri.fr, Valérie Lasserre: valerie.lasserre@gmx.fr, Antoine Laureau: antoine.laureau@owasp.org, Guillaume Lopes: lopes.guillaume@free.fr, Gilles Morain: gilles.morain@gmail.com, Christophe Pekar: christophe.pekar@owasp.org, Olivier Perret: perrets@free.fr, Michel Prunet: michel.prunet@owasp.org, Olivier Revollat: revollat@gmail.com, Aymeric Tabourin: aymeric.tabourin@orange.com<br />
*Brazilian Portuguese 2013: [http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2013_Brazilian_Portuguese.pdf OWASP Top 10 2013 - Brazilian Portuguese (PDF)] Translated by: Carlos Serrão, Marcio Machry, Ícaro Evangelista de Torres, Carlo Marcelo Revoredo da Silva, Luiz Vieira, Suely Ramalho de Mello, Jorge Olímpia, Daniel Quintão, Mauro Risonho de Paula Assumpção, Marcelo Lopes, Caio Dias, Rodrigo Gularte<br />
*French 2010: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20French.pdf OWASP Top 10 2010 - French PDF] ludovic.petit@owasp.org, sebastien.gioria@owasp.org, antonio.fontes@owasp.org, benoit.guerette@owasp.org, Jocelyn.aubert@owasp.org, Eric.Garreau@gemalto.com, Guillaume.Huysmans@gemalto.com <br />
*German: [https://www.owasp.org/images/b/b8/OWASPTop10_DE_Version_1_0.pdf OWASP Top 10 - German PDF] top10@owasp.de which is Frank Dölitzscher, Torsten Gigler, Tobias Glemser, Dr. Ingo Hanke, Thomas Herzog, [[User:Kai_Jendrian|Kai Jendrian]], [[User:Ralf_Reinhardt|Ralf Reinhardt]], Michael Schäfer<br />
*Indonesian: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Indonesian.pdf OWASP Top 10 2010 - Indonesian PDF] Tedi Heriyanto (coordinator), Lathifah Arief, Tri A Sundara, Zaki Akhmad<br />
*Italian: [http://www.owasp.org/images/f/f9/OWASP_Top_10_-_2010_ITA.pdf OWASP Top 10 2010 - Italian PDF] Simone Onofri, Paolo Perego, Massimo Biagiotti, Edoardo Viscosi, Salvatore Fiorillo, Roberto Battistoni, Loredana Mancini, Michele Nesta, Paco Schiaffella, Lucilla Mancini, Gerardo Di Giacomo, Valentino Squilloni<br />
*Japanese: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Japanese-A4.pdf OWASP Top 10 2010 - Japanese PDF] cecil.su@owasp.org, Dr. Masayuki Hisada, Yoshimasa Kawamoto, Ryusuke Sakamoto, Keisuke Seki, Shin Umemoto, Takashi Arima<br />
*Korean 2013: [https://www.owasp.org/images/2/2c/OWASP_Top_10_-_2013_Final_-_Korean.pdf OWASP Top 10 2013 - Korean PDF] (이름가나다순) 김병효:byounghyo.kim@owasp.org, 김지원:jiwon.kim@owasp.or.kr, 김효근:katuri@katuri.kr, 박정훈:xelion@gmail.com, 성영모:youngmo.seong@owasp.or.kr, 성윤기:yune.sung@owasp.org, 송보영:boyoung.song@owasp.or.kr, 송창기:factor7@naver.com, 유정호:griphis77@gmail.com, 장상민:sangmin.jang@owasp.or.kr, 전영재:youngjae.jeon@owasp.org, 정가람:tgcarrot@gmail.com, 정홍순:jhs728@gmail.com, 조민재:johnny.cho@owasp.org,허성무:issimplenet@gmail.com<br />
*Korean 2010: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Korean.pdf OWASP Top 10 2010 - Korean PDF] Hyungkeun Park, (mirrk1@gmail.com)<br />
*Spanish: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Spanish.pdf OWASP Top 10 2010 - Spanish PDF] *Daniel Cabezas Molina , Edgar Sanchez, Juan Carlos Calderon, Jose Antonio Guasch, Paulo Coronado, Rodrigo Marcos, Vicente Aguilera<br />
*Chinese: [http://www.owasp.org/images/a/a9/OWASP_Top_10_2010_Chinese_V1.0_Released.pdf OWASP Top 10 2010 - Chinese PDF] 感谢以下为中文版本做出贡献的翻译人员和审核人员: Rip Torn, 钟卫林, 高雯, 王颉, 于振东<br />
*Vietnamese: [http://owasptop10.googlecode.com/files/OWASPTop%2010%20-%202010%20Vietnamese.pdf OWASP Top 10 2010 - Vietnamese PDF] (NEW) Translation lead by Cecil Su - Translation Team: Dang Hoang Vu, Nguyen Ba Tien, Nguyen Tang Hung, Luong Dieu Phuong, Huynh Thien Tam<br />
*Hebrew (New): [[OWASP_Top10_Hebrew|OWASP Top 10 Hebrew]]. Lead by Or Katz, see translation page for list of contributors.<br />
*Arabic (New): [https://www.owasp.org/images/f/ff/OWASP_Top_10_-_2013_Arabic.pdf OWASP Top 10 203 - Arabic] Translated by: Mohannad Shahat: Mohannad.Shahat@owasp.org, Fahad: @SecurityArk, Abdulellah Alsaheel: cs.saheel@gmail.com, Khalifa Alshamsi: Khs1618@gmail.com and Sabri(KING SABRI): king.sabri@gmail.com<br />
<br />
Volunteer Translation Efforts Underway: <br />
<br />
*Portuguese: carlos.j.serrao@gmail.com; taquiles@gmail.com; wagner.elias@owasp.org; victoreufrasio@gmail.com; leo.cavallari@owasp.org; victoreufrasio@gmail.com; <br />
*Greek: Konstantinos Papapanagiotou (conpap@di.uoa.gr) <br />
*Turkish: bora@abi.com.tr <br />
*Malay: cecil.su@owasp.org <br />
*Czech: petr.zavodsky@owasp-czech-republic.cz<br />
*Dutch: marinus@kuivenhoven.com<br />
*Swedish: ake.bengtsson@owasp.org<br />
* Spanish: gerardo.canedo@owasp.org<br />
<br />
= Project Details =<br />
<br />
{{:GPC_Project_Details/OWASP_Top10 | OWASP Project Identification Tab}}<br />
<br />
= How Are Companies-Projects-Vendors Using the OWASP Top 10 =<br />
<br />
Click the links for more details on each use! <br />
<br />
'''Warning''': these articles have not been rated for accuracy by OWASP. Product companies should be extremely careful about claiming to "cover" or "ensure compliance" with the OWASP Top 10. The current state-of-the-art for automated detection (scanners and static analysis) and prevention (waf) is nowhere near sufficient to claim adequate coverage of the issues in the Top 10. Nevertheless, using the Top 10 as a simple way to communicate security to end users is effective. <br />
<br />
;[http://blogs.msdn.com/b/sdl/archive/2008/05/01/sdl-and-the-owasp-top-ten.aspx Microsoft] <br />
:as a way to measure the coverage of their SDL and improve security<br />
<br />
;[http://www.nsa.gov/applications/search/index.cfm?q=owasp NSA] <br />
:in their developer guidance on web application security<br />
<br />
;[https://www.pcisecuritystandards.org/index.shtml PCI Council] <br />
:as part of the Payment Card Industry Data Security Standard (PCI DSS)<br />
<br />
;[http://community.citrix.com/display/ocb/2010/06/02/NetScaler+Application+Firewall+and+the+OWASP+Top+10+2010 Citrix] <br />
:in a guide showing how to configure their NetScalar product<br />
<br />
;[http://msdn.microsoft.com/en-us/library/dd129898.aspx Microsoft] <br />
:to show how "T10 threats are handled by the security design and test procedures of Microsoft"<br />
<br />
;[http://www.web2py.com/examples/default/security web2py] <br />
:to demonstrate the security of this Python web framework<br />
<br />
;[http://www.owasp.org/index.php/Commentary_OWASP_Top_Ten_2004_Project Oracle] <br />
:for developer awareness<br />
<br />
;[http://www.theatremanagerhelp.com/book/export/html/1640 TheatreManager] <br />
:to show how their product is secure for web use<br />
<br />
;[http://knol.google.com/k/automated-vulnerabilty-scanners-and-the-owasp-top-10# WhiteHat] <br />
:as a way to explain the coverage of their service<br />
<br />
;[http://www.imperva.com/docs/TB_SecureSphere_OWASP_2010-Top-Ten.pdf Imperva] <br />
:to show the coverage of the SecureSphere tool<br />
<br />
;[http://blog.cenzic.com/public/item/254309 Cenzic] <br />
:to enable "focused scans for compliance testing with the updated PCI standard"<br />
<br />
== Users and Adopters ==<br />
<br />
The U.S. Federal Trade Commission strongly recommends that all companies use the OWASP Top Ten and ensure that their partners do the same. In addition, the U.S. Defense Information Systems Agency (DISA) has listed the OWASP Top Ten as key best practices that should be used as part of the DoD Information Assurance Certification and Accreditation Process ([http://iase.disa.mil/diacap/ DIACAP]). <br />
<br />
In the commercial market, the [http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_PCI_Data_Security_Standard.pdf Payment Card Industry (PCI) standard] has adopted the OWASP Top Ten, and requires (among other things) that all merchants get a security code review for all their custom code. In addition, a broad range of companies and agencies around the globe are also using the OWASP Top Ten, including: <br />
<br />
*A.G. Edwards <br />
*Bank of Newport <br />
*Best Software <br />
*British Telecom <br />
*Bureau of Alcohol, Tobacco, and Firearms (ATF) <br />
*Citibank <br />
*Cboss Internet <br />
*Cognizant <br />
*Contra Costa County, CA <br />
*Corillian Corporation <br />
*Digital Payment Technologies <br />
*Foundstone Strategic Security <br />
*HP <br />
*IBM Global Services <br />
*MorphoTrust USA<br />
*National Australia Bank <br />
*Norfolk Southern <br />
*OneSAS.com <br />
*Online Business Systems <br />
*Predictive Systems <br />
*Price Waterhouse Coopers <br />
*Recreational Equipment, Inc. (REI) <br />
*SSP Solutions <br />
*Samsung SDS (Korea) <br />
*Sempra Energy <br />
*Sprint <br />
*Sun Microsystems <br />
*Swiss Federal Institute of Technology <br />
*Symantec <br />
*Texas Dept of Human Services <br />
*The Hartford <br />
*Zapatec <br />
*ZipForm <br />
*...and many others<br />
<br />
Several schools have also adopted the OWASP Top Ten as a part of their curriculum, including Michigan State University (MSU), and the University of California at San Diego (UCSD). <br />
<br />
Several open source projects have adopted the OWASP Top Ten as part of their security audits, including: <br />
<br />
*[http://plone.org Plone open source CMS project] (managed by the Plone Foundation)<br />
<br />
<br />
= Other uses and resources =<br />
<br />
* [[OWASP_Top_10/Mapping_to_WHID | OWASP Top 10 Mapped to the Web Hacking Incident Database]]<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_Release_Quality_Document]]</div>Mohannad Shahathttps://wiki.owasp.org/index.php?title=Category:OWASP_Top_Ten_Project&diff=162705Category:OWASP Top Ten Project2013-11-06T16:27:16Z<p>Mohannad Shahat: </p>
<hr />
<div>{{OWASP Book|1400974}} <br />
<br />
{{Social Media Links}}<br />
<br />
= OWASP Top 10 for 2013 =<br />
<br />
'''Welcome to the OWASP Top Ten Project''' - if you're looking for the OWASP Top 10 Mobile [[OWASP_Mobile_Security_Project#tab=Top_Ten_Mobile_Risks | Click Here]]<br />
<br />
On June 12, 2013 the OWASP Top 10 for 2013 was officially released. This version was updated based on numerous comments received during the comment period after the release candidate was released in Feb. 2013.<br />
<br />
* [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf OWASP Top 10 2013 document (PDF)].<br />
* [[Top_10_2013 | OWASP Top 10 2013 - Wiki.]]<br />
* [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013%20-%20French.pdf OWASP Top 10 2013 - French (PDF)].<br />
* [https://www.owasp.org/images/5/51/OWASP_Top_10_2013-Chinese-V1.2.pdf OWASP Top 10 2013 - Chinese (PDF)].<br />
* [https://www.owasp.org/images/2/2c/OWASP_Top_10_-_2013_Final_-_Korean.pdf OWASP Top 10 2013 - Korea (PDF)].<br />
* [http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2013_Brazilian_Portuguese.pdf OWASP Top 10 2013 - Brazilian Portuguese (PDF)].<br />
* [https://www.owasp.org/images/7/79/OWASP_Top_10_2013_JPN.pdf OWASP Top 10 2013 - Japanese (PDF)].<br />
* [http://owasptop10.googlecode.com/files/OWASP_Top-10_2013%20-%20Changes-from-2010.pptx OWASP Top 10 2013 Presentation - Focusing on What Changed Since 2010 (PPTX)]<br />
* [http://owasptop10.googlecode.com/files/OWASP_Top-10_2013%20-%20Presentation.pptx OWASP Top 10 2013 Presentation - Presenting Each Item in the Top 10 (PPTX)].<br />
<br />
<br />
The OWASP Top 10 - 2013 is as follows:<br />
<br />
* [[Top_10_2013-A1-Injection | A1 Injection]]<br />
* [[Top_10_2013-A2-Broken_Authentication_and_Session_Management | A2 Broken Authentication and Session Management]]<br />
* [[Top_10_2013-A3-Cross-Site_Scripting_(XSS) | A3 Cross-Site Scripting (XSS)]]<br />
* [[Top_10_2013-A4-Insecure_Direct_Object_References | A4 Insecure Direct Object References]]<br />
* [[Top_10_2013-A5-Security_Misconfiguration | A5 Security Misconfiguration]]<br />
* [[Top_10_2013-A6-Sensitive_Data_Exposure | A6 Sensitive Data Exposure]]<br />
* [[Top_10_2013-A7-Missing_Function_Level_Access_Control | A7 Missing Function Level Access Control]]<br />
* [[Top_10_2013-A8-Cross-Site_Request_Forgery_(CSRF) | A8 Cross-Site Request Forgery (CSRF)]]<br />
* [[Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities | A9 Using Components with Known Vulnerabilities]]<br />
* [[Top_10_2013-A10-Unvalidated_Redirects_and_Forwards | A10 Unvalidated Redirects and Forwards]]<br />
<br />
If you are interested, the methodology for how the Top 10 is produced is now documented here: [[Top_10_2013/ProjectMethodology | OWASP Top 10 Development Methodology]]<br />
<br />
Please help us make sure every developer in the ENTIRE WORLD knows about the OWASP Top 10 by helping to spread the word!!! <br />
<br />
As you help us spread the word, please emphasize: <br />
<br />
*OWASP is reaching out to developers, not just the application security community <br />
*The Top 10 is about managing risk, not just avoiding vulnerabilities <br />
*To manage these risks, organizations need an application risk management program, not just awareness training, app testing, and remediation<br />
<br />
We need to encourage organizations to get off the penetrate and patch mentality. As Jeff Williams said in his 2009 OWASP AppSec DC Keynote: “we’ll never hack our way secure – it’s going to take a culture change” for organizations to properly address application security.<br />
<br />
== Introduction ==<br />
<br />
The OWASP Top Ten provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. Versions of the 2007 and 2010 version were translated into English, French, Spanish, Japanese, Korean and Turkish and other languages. Translation efforts for the 2013 version are underway and they will be posted as they become available. <br />
<br />
We urge all companies to adopt this awareness document within their organization and start the process of ensuring that their web applications do not contain these flaws. Adopting the OWASP Top Ten is perhaps the most effective first step towards changing the software development culture within your organization into one that produces secure code.<br />
<br />
== Changes between 2010 and 2013 Editions ==<br />
<br />
The OWASP Top 10 - 2013 includes the following changes as compared to the 2010 edition:<br />
<br />
* A1 Injection<br />
* A2 Broken Authentication and Session Management (was formerly 2010-A3)<br />
* A3 Cross-Site Scripting (XSS) (was formerly 2010-A2)<br />
* A4 Insecure Direct Object References<br />
* A5 Security Misconfiguration (was formerly 2010-A6)<br />
* A6 Sensitive Data Exposure (2010-A7 Insecure Cryptographic Storage and 2010-A9 Insufficient Transport Layer Protection were merged to form 2013-A6)<br />
* A7 Missing Function Level Access Control (renamed/broadened from 2010-A8 Failure to Restrict URL Access)<br />
* A8 Cross-Site Request Forgery (CSRF) (was formerly 2010-A5)<br />
* A9 Using Components with Known Vulnerabilities (new but was part of 2010-A6 – Security Misconfiguration)<br />
* A10 Unvalidated Redirects and Forwards<br />
<br />
== 2013 Versions ==<br />
<br />
2013 Edition: <br />
<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf OWASP Top 10 2013 - PDF] <br />
*[[Top_10_2013 | OWASP Top 10 2013 - wiki]]<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013%20-%20French.pdf OWASP Top 10 2013 - French (PDF)].<br />
*[https://www.owasp.org/images/5/51/OWASP_Top_10_2013-Chinese-V1.2.pdf OWASP Top 10 2013 - Chinese (PDF)].<br />
*[https://www.owasp.org/images/2/2c/OWASP_Top_10_-_2013_Final_-_Korean.pdf OWASP Top 10 2013 - Korea (PDF)].<br />
*[http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2013_Brazilian_Portuguese.pdf OWASP Top 10 2013 - Brazilian Portuguese (PDF)].<br />
*[https://www.owasp.org/images/7/79/OWASP_Top_10_2013_JPN.pdf OWASP Top 10 2013 - Japanese (PDF)].<br />
<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013%20-%20RC1.pdf OWASP Top 10 - 2013 - Release Candidate]<br />
*[https://www.owasp.org/images/3/3d/OWASP_Top_10_-_2013_Final_Release_-_Change_Log.docx OWASP Top 10 - 2013 - Final Release - Change Log (docx)]<br />
<br />
== Feedback ==<br />
<br />
Please let us know how your organization is using the Top Ten. Include your name, organization's name, and brief description of how you use the list. Thanks for supporting OWASP! <br />
<br />
We hope you find the information in the OWASP Top Ten useful. Please contribute back to the project by sending your comments, questions, and suggestions to topten@lists.owasp.org Thanks! <br />
<br />
To join the OWASP Top Ten mailing list or view the archives, please visit the [http://lists.owasp.org/mailman/listinfo/owasp-topten subscription page.] <br />
<br />
== Project Sponsors ==<br />
<br />
The OWASP Top Ten project is sponsored by {{MemberLinks|link=http://www.aspectsecurity.com|logo=Aspect_logo_owasp.jpg}}<br />
<br />
<!-- ==== Project Identification ====<br />
{{Template:OWASP OWASP_Top10 Project}} --><br />
<br />
= OWASP Top 10 for 2010 =<br />
<br />
On April 19, 2010 the final version of the OWASP Top 10 for 2010 was released, and here is the associated [[OWASPTop10-2010-PressRelease|press release]]. This version was updated based on numerous comments received during the comment period after the release candidate was released in Nov. 2009. <br />
<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 - 2010 Document] <br />
*[[Top 10 2010|OWASP Top 10 - 2010 - wiki]] <br />
*[http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx OWASP Top 10 - 2010 Presentation]<br />
*[http://blip.tv/owasp-appsec-conference-in-europe/day2_track1_1430-1505-3936900 OWASP Top 10 Video of the Presentation above - this focused alot on the Top 10 for 2010 approach, rather than the details. (From OWASP AppSec EU 2010)]<br />
*[http://www.vimeo.com/9006276 OWASP Top 10 Video of this Presentation when the Top 10 for 2010 was 1st released for comment - this goes through each item in the Top 10. (From OWASP AppSec DC 2009)]<br />
<br />
The OWASP Top 10 Web Application Security Risks for 2010 are: <br />
<br />
*[[Top_10_2010-A1|A1: Injection]]<br />
*[[Top_10_2010-A2|A2: Cross-Site Scripting (XSS)]]<br />
*[[Top_10_2010-A3|A3: Broken Authentication and Session Management]]<br />
*[[Top_10_2010-A4|A4: Insecure Direct Object References]]<br />
*[[Top_10_2010-A5|A5: Cross-Site Request Forgery (CSRF)]]<br />
*[[Top_10_2010-A6|A6: Security Misconfiguration]]<br />
*[[Top_10_2010-A7|A7: Insecure Cryptographic Storage]]<br />
*[[Top_10_2010-A8|A8: Failure to Restrict URL Access]]<br />
*[[Top_10_2010-A9|A9: Insufficient Transport Layer Protection]]<br />
*[[Top_10_2010-A10|A10: Unvalidated Redirects and Forwards]]<br />
<br />
== Introduction ==<br />
<br />
The OWASP Top Ten provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. Versions of the 2007 were translated into English, French, Spanish, Japanese, Korean and Turkish and other languages and the 2010 version was translated into even more languages. See below for all the translated versions.<br />
<br />
== 2010 Versions ==<br />
<br />
2010 Edition: <br />
<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 2010 - PDF] <br />
*[[Top 10 2010|OWASP Top 10 2010 - wiki]]<br />
<br />
2010 Translations: <br />
<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20French.pdf OWASP Top 10 2010 - French PDF] <br />
*[https://www.owasp.org/images/b/b8/OWASPTop10_DE_Version_1_0.pdf OWASP Top 10 2010 - German PDF]<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Indonesian.pdf OWASP Top 10 2010 - Indonesian PDF]<br />
*[http://www.owasp.org/images/f/f9/OWASP_Top_10_-_2010_ITA.pdf OWASP Top 10 2010 - Italian PDF]<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Japanese-A4.pdf OWASP Top 10 2010 - Japanese PDF]<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Korean.pdf OWASP Top 10 2010 - Korean PDF]<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Spanish.pdf OWASP Top 10 2010 - Spanish PDF]<br />
*[http://www.owasp.org/images/8/86/OWASP_Top_10_-_2010_FINAL_%28spanish%29.pptx OWASP Top 10 2010 - Spanish PPT]<br />
*[http://www.owasp.org/images/a/a9/OWASP_Top_10_2010_Chinese_V1.0_Released.pdf OWASP Top 10 2010 - Chinese PDF / 这里下载PDF格式文档]<br />
*[http://owasptop10.googlecode.com/files/OWASPTop%2010%20-%202010%20Vietnamese.pdf OWASP Top 10 2010 - Vietnamese PDF]<br />
*[https://www.owasp.org/images/c/cd/OWASP_Top_10_Heb.pdf OWASP Top 10 2010 - Hebrew PDF]<br />
<br />
2010 Release Candidate: <br />
<br />
*[http://www.owasp.org/index.php/File:OWASP_T10_-_2010_rc1.pdf OWASP Top 10 2010 Release Candidate] <br />
*[http://www.owasp.org/images/e/e1/OWASP_Top_10_RC-Public_Comments.docx OWASP Top 10 2010 Release Candidate Comments], except for one set of scanned comments [http://www.owasp.org/images/2/2e/OWASP_T10_-_2010_rc1_cmts_Kai_Jendrian.pdf which are here].<br />
<br />
Previous versions: <br />
<br />
*[http://www.owasp.org/images/e/e8/OWASP_Top_10_2007.pdf OWASP Top 10 2007 - PDF] <br />
*[[Top 10 2007|OWASP Top 10 2007 - wiki]] <br />
*[http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project#tab=Project_Details OWASP Top 10 2007 - PDF Translations are here] <br />
*[[Top 10 2004|OWASP Top 10 2004 - wiki]]<br />
<br />
<br />
= Translation Efforts =<br />
<br />
Efforts are underway in numerous languages to translate the OWASP Top 10 for 2013. If you are interested in helping, please contact the other members of the team for the language you are interested in contributing to, or if you don't see your language listed, please let me know you want to help and we'll form a volunteer group for your language too!!<br />
<br />
Here is the original source document for the [https://www.owasp.org/images/4/4d/OWASP_Top_10_-_2013_Final_-_English.pptx OWASP Top 10 - 2013 which is in PowerPoint]. Please use this document as the basis for your translation efforts.<br />
<br />
Completed Translations:<br />
<br />
*French 2013: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013%20-%20French.pdf OWASP Top 10 2013 - French PDF] Ludovic Petit: Ludovic.Petit@owasp.org, Sébastien Gioria: Sebastien.Gioria@owasp.org, Erwan Abgrall: g4l4drim@gmail.com, Benjamin Avet: benjamin.avet@gmail.com, Jocelyn Aubert: jocelyn.aubert@owasp.org, Damien Azambour: damien.azambourg@owasp.org, Aline Barthelemy: aline.barthelemy@fr.abb.com, Moulay Abdsamad Belghiti: abdsamad.belghiti@gmail.com, Gregory Blanc: gregory.blanc@gmail.com, Clément Capel: clement.capel@sfr.com, Etienne Capgras: Etienne.capgras@solucom.fr, Julien Cayssol: julien@aqwz.com, Antonio Fontes: antonio.fontes@owasp.org, Ely de Travieso: Ely.detravieso@owasp.org, Nicolas Grégoire: nicolas.gregoire@agarri.fr, Valérie Lasserre: valerie.lasserre@gmx.fr, Antoine Laureau: antoine.laureau@owasp.org, Guillaume Lopes: lopes.guillaume@free.fr, Gilles Morain: gilles.morain@gmail.com, Christophe Pekar: christophe.pekar@owasp.org, Olivier Perret: perrets@free.fr, Michel Prunet: michel.prunet@owasp.org, Olivier Revollat: revollat@gmail.com, Aymeric Tabourin: aymeric.tabourin@orange.com<br />
*Brazilian Portuguese 2013: [http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2013_Brazilian_Portuguese.pdf OWASP Top 10 2013 - Brazilian Portuguese (PDF)] Translated by: Carlos Serrão, Marcio Machry, Ícaro Evangelista de Torres, Carlo Marcelo Revoredo da Silva, Luiz Vieira, Suely Ramalho de Mello, Jorge Olímpia, Daniel Quintão, Mauro Risonho de Paula Assumpção, Marcelo Lopes, Caio Dias, Rodrigo Gularte<br />
*French 2010: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20French.pdf OWASP Top 10 2010 - French PDF] ludovic.petit@owasp.org, sebastien.gioria@owasp.org, antonio.fontes@owasp.org, benoit.guerette@owasp.org, Jocelyn.aubert@owasp.org, Eric.Garreau@gemalto.com, Guillaume.Huysmans@gemalto.com <br />
*German: [https://www.owasp.org/images/b/b8/OWASPTop10_DE_Version_1_0.pdf OWASP Top 10 - German PDF] top10@owasp.de which is Frank Dölitzscher, Torsten Gigler, Tobias Glemser, Dr. Ingo Hanke, Thomas Herzog, [[User:Kai_Jendrian|Kai Jendrian]], [[User:Ralf_Reinhardt|Ralf Reinhardt]], Michael Schäfer<br />
*Indonesian: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Indonesian.pdf OWASP Top 10 2010 - Indonesian PDF] Tedi Heriyanto (coordinator), Lathifah Arief, Tri A Sundara, Zaki Akhmad<br />
*Italian: [http://www.owasp.org/images/f/f9/OWASP_Top_10_-_2010_ITA.pdf OWASP Top 10 2010 - Italian PDF] Simone Onofri, Paolo Perego, Massimo Biagiotti, Edoardo Viscosi, Salvatore Fiorillo, Roberto Battistoni, Loredana Mancini, Michele Nesta, Paco Schiaffella, Lucilla Mancini, Gerardo Di Giacomo, Valentino Squilloni<br />
*Japanese: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Japanese-A4.pdf OWASP Top 10 2010 - Japanese PDF] cecil.su@owasp.org, Dr. Masayuki Hisada, Yoshimasa Kawamoto, Ryusuke Sakamoto, Keisuke Seki, Shin Umemoto, Takashi Arima<br />
*Korean 2013: [https://www.owasp.org/images/2/2c/OWASP_Top_10_-_2013_Final_-_Korean.pdf OWASP Top 10 2013 - Korean PDF] (이름가나다순) 김병효:byounghyo.kim@owasp.org, 김지원:jiwon.kim@owasp.or.kr, 김효근:katuri@katuri.kr, 박정훈:xelion@gmail.com, 성영모:youngmo.seong@owasp.or.kr, 성윤기:yune.sung@owasp.org, 송보영:boyoung.song@owasp.or.kr, 송창기:factor7@naver.com, 유정호:griphis77@gmail.com, 장상민:sangmin.jang@owasp.or.kr, 전영재:youngjae.jeon@owasp.org, 정가람:tgcarrot@gmail.com, 정홍순:jhs728@gmail.com, 조민재:johnny.cho@owasp.org,허성무:issimplenet@gmail.com<br />
*Korean 2010: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Korean.pdf OWASP Top 10 2010 - Korean PDF] Hyungkeun Park, (mirrk1@gmail.com)<br />
*Spanish: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Spanish.pdf OWASP Top 10 2010 - Spanish PDF] *Daniel Cabezas Molina , Edgar Sanchez, Juan Carlos Calderon, Jose Antonio Guasch, Paulo Coronado, Rodrigo Marcos, Vicente Aguilera<br />
*Chinese: [http://www.owasp.org/images/a/a9/OWASP_Top_10_2010_Chinese_V1.0_Released.pdf OWASP Top 10 2010 - Chinese PDF] 感谢以下为中文版本做出贡献的翻译人员和审核人员: Rip Torn, 钟卫林, 高雯, 王颉, 于振东<br />
*Vietnamese: [http://owasptop10.googlecode.com/files/OWASPTop%2010%20-%202010%20Vietnamese.pdf OWASP Top 10 2010 - Vietnamese PDF] (NEW) Translation lead by Cecil Su - Translation Team: Dang Hoang Vu, Nguyen Ba Tien, Nguyen Tang Hung, Luong Dieu Phuong, Huynh Thien Tam<br />
*Hebrew (New): [[OWASP_Top10_Hebrew|OWASP Top 10 Hebrew]]. Lead by Or Katz, see translation page for list of contributors.<br />
*Arabic (New): [https://www.owasp.org/index.php/OWASP_Top_10_-_2013_Arabic.pdf OWASP Top 10 203 - Arabic] Translated by: Mohannad Shahat: Mohannad.Shahat@owasp.org, Fahad: @SecurityArk, Abdulellah Alsaheel: cs.saheel@gmail.com, Khalifa Alshamsi: Khs1618@gmail.com and Sabri(KING SABRI): king.sabri@gmail.com<br />
<br />
Volunteer Translation Efforts Underway: <br />
<br />
*Portuguese: carlos.j.serrao@gmail.com; taquiles@gmail.com; wagner.elias@owasp.org; victoreufrasio@gmail.com; leo.cavallari@owasp.org; victoreufrasio@gmail.com; <br />
*Greek: Konstantinos Papapanagiotou (conpap@di.uoa.gr) <br />
*Turkish: bora@abi.com.tr <br />
*Malay: cecil.su@owasp.org <br />
*Czech: petr.zavodsky@owasp-czech-republic.cz<br />
*Dutch: marinus@kuivenhoven.com<br />
*Swedish: ake.bengtsson@owasp.org<br />
* Spanish: gerardo.canedo@owasp.org<br />
<br />
= Project Details =<br />
<br />
{{:GPC_Project_Details/OWASP_Top10 | OWASP Project Identification Tab}}<br />
<br />
= How Are Companies-Projects-Vendors Using the OWASP Top 10 =<br />
<br />
Click the links for more details on each use! <br />
<br />
'''Warning''': these articles have not been rated for accuracy by OWASP. Product companies should be extremely careful about claiming to "cover" or "ensure compliance" with the OWASP Top 10. The current state-of-the-art for automated detection (scanners and static analysis) and prevention (waf) is nowhere near sufficient to claim adequate coverage of the issues in the Top 10. Nevertheless, using the Top 10 as a simple way to communicate security to end users is effective. <br />
<br />
;[http://blogs.msdn.com/b/sdl/archive/2008/05/01/sdl-and-the-owasp-top-ten.aspx Microsoft] <br />
:as a way to measure the coverage of their SDL and improve security<br />
<br />
;[http://www.nsa.gov/applications/search/index.cfm?q=owasp NSA] <br />
:in their developer guidance on web application security<br />
<br />
;[https://www.pcisecuritystandards.org/index.shtml PCI Council] <br />
:as part of the Payment Card Industry Data Security Standard (PCI DSS)<br />
<br />
;[http://community.citrix.com/display/ocb/2010/06/02/NetScaler+Application+Firewall+and+the+OWASP+Top+10+2010 Citrix] <br />
:in a guide showing how to configure their NetScalar product<br />
<br />
;[http://msdn.microsoft.com/en-us/library/dd129898.aspx Microsoft] <br />
:to show how "T10 threats are handled by the security design and test procedures of Microsoft"<br />
<br />
;[http://www.web2py.com/examples/default/security web2py] <br />
:to demonstrate the security of this Python web framework<br />
<br />
;[http://www.owasp.org/index.php/Commentary_OWASP_Top_Ten_2004_Project Oracle] <br />
:for developer awareness<br />
<br />
;[http://www.theatremanagerhelp.com/book/export/html/1640 TheatreManager] <br />
:to show how their product is secure for web use<br />
<br />
;[http://knol.google.com/k/automated-vulnerabilty-scanners-and-the-owasp-top-10# WhiteHat] <br />
:as a way to explain the coverage of their service<br />
<br />
;[http://www.imperva.com/docs/TB_SecureSphere_OWASP_2010-Top-Ten.pdf Imperva] <br />
:to show the coverage of the SecureSphere tool<br />
<br />
;[http://blog.cenzic.com/public/item/254309 Cenzic] <br />
:to enable "focused scans for compliance testing with the updated PCI standard"<br />
<br />
== Users and Adopters ==<br />
<br />
The U.S. Federal Trade Commission strongly recommends that all companies use the OWASP Top Ten and ensure that their partners do the same. In addition, the U.S. Defense Information Systems Agency (DISA) has listed the OWASP Top Ten as key best practices that should be used as part of the DoD Information Assurance Certification and Accreditation Process ([http://iase.disa.mil/diacap/ DIACAP]). <br />
<br />
In the commercial market, the [http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_PCI_Data_Security_Standard.pdf Payment Card Industry (PCI) standard] has adopted the OWASP Top Ten, and requires (among other things) that all merchants get a security code review for all their custom code. In addition, a broad range of companies and agencies around the globe are also using the OWASP Top Ten, including: <br />
<br />
*A.G. Edwards <br />
*Bank of Newport <br />
*Best Software <br />
*British Telecom <br />
*Bureau of Alcohol, Tobacco, and Firearms (ATF) <br />
*Citibank <br />
*Cboss Internet <br />
*Cognizant <br />
*Contra Costa County, CA <br />
*Corillian Corporation <br />
*Digital Payment Technologies <br />
*Foundstone Strategic Security <br />
*HP <br />
*IBM Global Services <br />
*MorphoTrust USA<br />
*National Australia Bank <br />
*Norfolk Southern <br />
*OneSAS.com <br />
*Online Business Systems <br />
*Predictive Systems <br />
*Price Waterhouse Coopers <br />
*Recreational Equipment, Inc. (REI) <br />
*SSP Solutions <br />
*Samsung SDS (Korea) <br />
*Sempra Energy <br />
*Sprint <br />
*Sun Microsystems <br />
*Swiss Federal Institute of Technology <br />
*Symantec <br />
*Texas Dept of Human Services <br />
*The Hartford <br />
*Zapatec <br />
*ZipForm <br />
*...and many others<br />
<br />
Several schools have also adopted the OWASP Top Ten as a part of their curriculum, including Michigan State University (MSU), and the University of California at San Diego (UCSD). <br />
<br />
Several open source projects have adopted the OWASP Top Ten as part of their security audits, including: <br />
<br />
*[http://plone.org Plone open source CMS project] (managed by the Plone Foundation)<br />
<br />
<br />
= Other uses and resources =<br />
<br />
* [[OWASP_Top_10/Mapping_to_WHID | OWASP Top 10 Mapped to the Web Hacking Incident Database]]<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_Release_Quality_Document]]</div>Mohannad Shahathttps://wiki.owasp.org/index.php?title=Category:OWASP_Top_Ten_Project&diff=162703Category:OWASP Top Ten Project2013-11-06T16:25:46Z<p>Mohannad Shahat: </p>
<hr />
<div>{{OWASP Book|1400974}} <br />
<br />
{{Social Media Links}}<br />
<br />
= OWASP Top 10 for 2013 =<br />
<br />
'''Welcome to the OWASP Top Ten Project''' - if you're looking for the OWASP Top 10 Mobile [[OWASP_Mobile_Security_Project#tab=Top_Ten_Mobile_Risks | Click Here]]<br />
<br />
On June 12, 2013 the OWASP Top 10 for 2013 was officially released. This version was updated based on numerous comments received during the comment period after the release candidate was released in Feb. 2013.<br />
<br />
* [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf OWASP Top 10 2013 document (PDF)].<br />
* [[Top_10_2013 | OWASP Top 10 2013 - Wiki.]]<br />
* [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013%20-%20French.pdf OWASP Top 10 2013 - French (PDF)].<br />
* [https://www.owasp.org/images/5/51/OWASP_Top_10_2013-Chinese-V1.2.pdf OWASP Top 10 2013 - Chinese (PDF)].<br />
* [https://www.owasp.org/images/2/2c/OWASP_Top_10_-_2013_Final_-_Korean.pdf OWASP Top 10 2013 - Korea (PDF)].<br />
* [http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2013_Brazilian_Portuguese.pdf OWASP Top 10 2013 - Brazilian Portuguese (PDF)].<br />
* [https://www.owasp.org/images/7/79/OWASP_Top_10_2013_JPN.pdf OWASP Top 10 2013 - Japanese (PDF)].<br />
* [http://owasptop10.googlecode.com/files/OWASP_Top-10_2013%20-%20Changes-from-2010.pptx OWASP Top 10 2013 Presentation - Focusing on What Changed Since 2010 (PPTX)]<br />
* [http://owasptop10.googlecode.com/files/OWASP_Top-10_2013%20-%20Presentation.pptx OWASP Top 10 2013 Presentation - Presenting Each Item in the Top 10 (PPTX)].<br />
<br />
<br />
The OWASP Top 10 - 2013 is as follows:<br />
<br />
* [[Top_10_2013-A1-Injection | A1 Injection]]<br />
* [[Top_10_2013-A2-Broken_Authentication_and_Session_Management | A2 Broken Authentication and Session Management]]<br />
* [[Top_10_2013-A3-Cross-Site_Scripting_(XSS) | A3 Cross-Site Scripting (XSS)]]<br />
* [[Top_10_2013-A4-Insecure_Direct_Object_References | A4 Insecure Direct Object References]]<br />
* [[Top_10_2013-A5-Security_Misconfiguration | A5 Security Misconfiguration]]<br />
* [[Top_10_2013-A6-Sensitive_Data_Exposure | A6 Sensitive Data Exposure]]<br />
* [[Top_10_2013-A7-Missing_Function_Level_Access_Control | A7 Missing Function Level Access Control]]<br />
* [[Top_10_2013-A8-Cross-Site_Request_Forgery_(CSRF) | A8 Cross-Site Request Forgery (CSRF)]]<br />
* [[Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities | A9 Using Components with Known Vulnerabilities]]<br />
* [[Top_10_2013-A10-Unvalidated_Redirects_and_Forwards | A10 Unvalidated Redirects and Forwards]]<br />
<br />
If you are interested, the methodology for how the Top 10 is produced is now documented here: [[Top_10_2013/ProjectMethodology | OWASP Top 10 Development Methodology]]<br />
<br />
Please help us make sure every developer in the ENTIRE WORLD knows about the OWASP Top 10 by helping to spread the word!!! <br />
<br />
As you help us spread the word, please emphasize: <br />
<br />
*OWASP is reaching out to developers, not just the application security community <br />
*The Top 10 is about managing risk, not just avoiding vulnerabilities <br />
*To manage these risks, organizations need an application risk management program, not just awareness training, app testing, and remediation<br />
<br />
We need to encourage organizations to get off the penetrate and patch mentality. As Jeff Williams said in his 2009 OWASP AppSec DC Keynote: “we’ll never hack our way secure – it’s going to take a culture change” for organizations to properly address application security.<br />
<br />
== Introduction ==<br />
<br />
The OWASP Top Ten provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. Versions of the 2007 and 2010 version were translated into English, French, Spanish, Japanese, Korean and Turkish and other languages. Translation efforts for the 2013 version are underway and they will be posted as they become available. <br />
<br />
We urge all companies to adopt this awareness document within their organization and start the process of ensuring that their web applications do not contain these flaws. Adopting the OWASP Top Ten is perhaps the most effective first step towards changing the software development culture within your organization into one that produces secure code.<br />
<br />
== Changes between 2010 and 2013 Editions ==<br />
<br />
The OWASP Top 10 - 2013 includes the following changes as compared to the 2010 edition:<br />
<br />
* A1 Injection<br />
* A2 Broken Authentication and Session Management (was formerly 2010-A3)<br />
* A3 Cross-Site Scripting (XSS) (was formerly 2010-A2)<br />
* A4 Insecure Direct Object References<br />
* A5 Security Misconfiguration (was formerly 2010-A6)<br />
* A6 Sensitive Data Exposure (2010-A7 Insecure Cryptographic Storage and 2010-A9 Insufficient Transport Layer Protection were merged to form 2013-A6)<br />
* A7 Missing Function Level Access Control (renamed/broadened from 2010-A8 Failure to Restrict URL Access)<br />
* A8 Cross-Site Request Forgery (CSRF) (was formerly 2010-A5)<br />
* A9 Using Components with Known Vulnerabilities (new but was part of 2010-A6 – Security Misconfiguration)<br />
* A10 Unvalidated Redirects and Forwards<br />
<br />
== 2013 Versions ==<br />
<br />
2013 Edition: <br />
<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf OWASP Top 10 2013 - PDF] <br />
*[[Top_10_2013 | OWASP Top 10 2013 - wiki]]<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013%20-%20French.pdf OWASP Top 10 2013 - French (PDF)].<br />
*[https://www.owasp.org/images/5/51/OWASP_Top_10_2013-Chinese-V1.2.pdf OWASP Top 10 2013 - Chinese (PDF)].<br />
*[https://www.owasp.org/images/2/2c/OWASP_Top_10_-_2013_Final_-_Korean.pdf OWASP Top 10 2013 - Korea (PDF)].<br />
*[http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2013_Brazilian_Portuguese.pdf OWASP Top 10 2013 - Brazilian Portuguese (PDF)].<br />
*[https://www.owasp.org/images/7/79/OWASP_Top_10_2013_JPN.pdf OWASP Top 10 2013 - Japanese (PDF)].<br />
<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013%20-%20RC1.pdf OWASP Top 10 - 2013 - Release Candidate]<br />
*[https://www.owasp.org/images/3/3d/OWASP_Top_10_-_2013_Final_Release_-_Change_Log.docx OWASP Top 10 - 2013 - Final Release - Change Log (docx)]<br />
<br />
== Feedback ==<br />
<br />
Please let us know how your organization is using the Top Ten. Include your name, organization's name, and brief description of how you use the list. Thanks for supporting OWASP! <br />
<br />
We hope you find the information in the OWASP Top Ten useful. Please contribute back to the project by sending your comments, questions, and suggestions to topten@lists.owasp.org Thanks! <br />
<br />
To join the OWASP Top Ten mailing list or view the archives, please visit the [http://lists.owasp.org/mailman/listinfo/owasp-topten subscription page.] <br />
<br />
== Project Sponsors ==<br />
<br />
The OWASP Top Ten project is sponsored by {{MemberLinks|link=http://www.aspectsecurity.com|logo=Aspect_logo_owasp.jpg}}<br />
<br />
<!-- ==== Project Identification ====<br />
{{Template:OWASP OWASP_Top10 Project}} --><br />
<br />
= OWASP Top 10 for 2010 =<br />
<br />
On April 19, 2010 the final version of the OWASP Top 10 for 2010 was released, and here is the associated [[OWASPTop10-2010-PressRelease|press release]]. This version was updated based on numerous comments received during the comment period after the release candidate was released in Nov. 2009. <br />
<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 - 2010 Document] <br />
*[[Top 10 2010|OWASP Top 10 - 2010 - wiki]] <br />
*[http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx OWASP Top 10 - 2010 Presentation]<br />
*[http://blip.tv/owasp-appsec-conference-in-europe/day2_track1_1430-1505-3936900 OWASP Top 10 Video of the Presentation above - this focused alot on the Top 10 for 2010 approach, rather than the details. (From OWASP AppSec EU 2010)]<br />
*[http://www.vimeo.com/9006276 OWASP Top 10 Video of this Presentation when the Top 10 for 2010 was 1st released for comment - this goes through each item in the Top 10. (From OWASP AppSec DC 2009)]<br />
<br />
The OWASP Top 10 Web Application Security Risks for 2010 are: <br />
<br />
*[[Top_10_2010-A1|A1: Injection]]<br />
*[[Top_10_2010-A2|A2: Cross-Site Scripting (XSS)]]<br />
*[[Top_10_2010-A3|A3: Broken Authentication and Session Management]]<br />
*[[Top_10_2010-A4|A4: Insecure Direct Object References]]<br />
*[[Top_10_2010-A5|A5: Cross-Site Request Forgery (CSRF)]]<br />
*[[Top_10_2010-A6|A6: Security Misconfiguration]]<br />
*[[Top_10_2010-A7|A7: Insecure Cryptographic Storage]]<br />
*[[Top_10_2010-A8|A8: Failure to Restrict URL Access]]<br />
*[[Top_10_2010-A9|A9: Insufficient Transport Layer Protection]]<br />
*[[Top_10_2010-A10|A10: Unvalidated Redirects and Forwards]]<br />
<br />
== Introduction ==<br />
<br />
The OWASP Top Ten provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. Versions of the 2007 were translated into English, French, Spanish, Japanese, Korean and Turkish and other languages and the 2010 version was translated into even more languages. See below for all the translated versions.<br />
<br />
== 2010 Versions ==<br />
<br />
2010 Edition: <br />
<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 2010 - PDF] <br />
*[[Top 10 2010|OWASP Top 10 2010 - wiki]]<br />
<br />
2010 Translations: <br />
<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20French.pdf OWASP Top 10 2010 - French PDF] <br />
*[https://www.owasp.org/images/b/b8/OWASPTop10_DE_Version_1_0.pdf OWASP Top 10 2010 - German PDF]<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Indonesian.pdf OWASP Top 10 2010 - Indonesian PDF]<br />
*[http://www.owasp.org/images/f/f9/OWASP_Top_10_-_2010_ITA.pdf OWASP Top 10 2010 - Italian PDF]<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Japanese-A4.pdf OWASP Top 10 2010 - Japanese PDF]<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Korean.pdf OWASP Top 10 2010 - Korean PDF]<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Spanish.pdf OWASP Top 10 2010 - Spanish PDF]<br />
*[http://www.owasp.org/images/8/86/OWASP_Top_10_-_2010_FINAL_%28spanish%29.pptx OWASP Top 10 2010 - Spanish PPT]<br />
*[http://www.owasp.org/images/a/a9/OWASP_Top_10_2010_Chinese_V1.0_Released.pdf OWASP Top 10 2010 - Chinese PDF / 这里下载PDF格式文档]<br />
*[http://owasptop10.googlecode.com/files/OWASPTop%2010%20-%202010%20Vietnamese.pdf OWASP Top 10 2010 - Vietnamese PDF]<br />
*[https://www.owasp.org/images/c/cd/OWASP_Top_10_Heb.pdf OWASP Top 10 2010 - Hebrew PDF]<br />
<br />
2010 Release Candidate: <br />
<br />
*[http://www.owasp.org/index.php/File:OWASP_T10_-_2010_rc1.pdf OWASP Top 10 2010 Release Candidate] <br />
*[http://www.owasp.org/images/e/e1/OWASP_Top_10_RC-Public_Comments.docx OWASP Top 10 2010 Release Candidate Comments], except for one set of scanned comments [http://www.owasp.org/images/2/2e/OWASP_T10_-_2010_rc1_cmts_Kai_Jendrian.pdf which are here].<br />
<br />
Previous versions: <br />
<br />
*[http://www.owasp.org/images/e/e8/OWASP_Top_10_2007.pdf OWASP Top 10 2007 - PDF] <br />
*[[Top 10 2007|OWASP Top 10 2007 - wiki]] <br />
*[http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project#tab=Project_Details OWASP Top 10 2007 - PDF Translations are here] <br />
*[[Top 10 2004|OWASP Top 10 2004 - wiki]]<br />
<br />
<br />
= Translation Efforts =<br />
<br />
Efforts are underway in numerous languages to translate the OWASP Top 10 for 2013. If you are interested in helping, please contact the other members of the team for the language you are interested in contributing to, or if you don't see your language listed, please let me know you want to help and we'll form a volunteer group for your language too!!<br />
<br />
Here is the original source document for the [https://www.owasp.org/images/4/4d/OWASP_Top_10_-_2013_Final_-_English.pptx OWASP Top 10 - 2013 which is in PowerPoint]. Please use this document as the basis for your translation efforts.<br />
<br />
Completed Translations:<br />
<br />
*French 2013: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013%20-%20French.pdf OWASP Top 10 2013 - French PDF] Ludovic Petit: Ludovic.Petit@owasp.org, Sébastien Gioria: Sebastien.Gioria@owasp.org, Erwan Abgrall: g4l4drim@gmail.com, Benjamin Avet: benjamin.avet@gmail.com, Jocelyn Aubert: jocelyn.aubert@owasp.org, Damien Azambour: damien.azambourg@owasp.org, Aline Barthelemy: aline.barthelemy@fr.abb.com, Moulay Abdsamad Belghiti: abdsamad.belghiti@gmail.com, Gregory Blanc: gregory.blanc@gmail.com, Clément Capel: clement.capel@sfr.com, Etienne Capgras: Etienne.capgras@solucom.fr, Julien Cayssol: julien@aqwz.com, Antonio Fontes: antonio.fontes@owasp.org, Ely de Travieso: Ely.detravieso@owasp.org, Nicolas Grégoire: nicolas.gregoire@agarri.fr, Valérie Lasserre: valerie.lasserre@gmx.fr, Antoine Laureau: antoine.laureau@owasp.org, Guillaume Lopes: lopes.guillaume@free.fr, Gilles Morain: gilles.morain@gmail.com, Christophe Pekar: christophe.pekar@owasp.org, Olivier Perret: perrets@free.fr, Michel Prunet: michel.prunet@owasp.org, Olivier Revollat: revollat@gmail.com, Aymeric Tabourin: aymeric.tabourin@orange.com<br />
*Brazilian Portuguese 2013: [http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2013_Brazilian_Portuguese.pdf OWASP Top 10 2013 - Brazilian Portuguese (PDF)] Translated by: Carlos Serrão, Marcio Machry, Ícaro Evangelista de Torres, Carlo Marcelo Revoredo da Silva, Luiz Vieira, Suely Ramalho de Mello, Jorge Olímpia, Daniel Quintão, Mauro Risonho de Paula Assumpção, Marcelo Lopes, Caio Dias, Rodrigo Gularte<br />
*French 2010: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20French.pdf OWASP Top 10 2010 - French PDF] ludovic.petit@owasp.org, sebastien.gioria@owasp.org, antonio.fontes@owasp.org, benoit.guerette@owasp.org, Jocelyn.aubert@owasp.org, Eric.Garreau@gemalto.com, Guillaume.Huysmans@gemalto.com <br />
*German: [https://www.owasp.org/images/b/b8/OWASPTop10_DE_Version_1_0.pdf OWASP Top 10 - German PDF] top10@owasp.de which is Frank Dölitzscher, Torsten Gigler, Tobias Glemser, Dr. Ingo Hanke, Thomas Herzog, [[User:Kai_Jendrian|Kai Jendrian]], [[User:Ralf_Reinhardt|Ralf Reinhardt]], Michael Schäfer<br />
*Indonesian: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Indonesian.pdf OWASP Top 10 2010 - Indonesian PDF] Tedi Heriyanto (coordinator), Lathifah Arief, Tri A Sundara, Zaki Akhmad<br />
*Italian: [http://www.owasp.org/images/f/f9/OWASP_Top_10_-_2010_ITA.pdf OWASP Top 10 2010 - Italian PDF] Simone Onofri, Paolo Perego, Massimo Biagiotti, Edoardo Viscosi, Salvatore Fiorillo, Roberto Battistoni, Loredana Mancini, Michele Nesta, Paco Schiaffella, Lucilla Mancini, Gerardo Di Giacomo, Valentino Squilloni<br />
*Japanese: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Japanese-A4.pdf OWASP Top 10 2010 - Japanese PDF] cecil.su@owasp.org, Dr. Masayuki Hisada, Yoshimasa Kawamoto, Ryusuke Sakamoto, Keisuke Seki, Shin Umemoto, Takashi Arima<br />
*Korean 2013: [https://www.owasp.org/images/2/2c/OWASP_Top_10_-_2013_Final_-_Korean.pdf OWASP Top 10 2013 - Korean PDF] (이름가나다순) 김병효:byounghyo.kim@owasp.org, 김지원:jiwon.kim@owasp.or.kr, 김효근:katuri@katuri.kr, 박정훈:xelion@gmail.com, 성영모:youngmo.seong@owasp.or.kr, 성윤기:yune.sung@owasp.org, 송보영:boyoung.song@owasp.or.kr, 송창기:factor7@naver.com, 유정호:griphis77@gmail.com, 장상민:sangmin.jang@owasp.or.kr, 전영재:youngjae.jeon@owasp.org, 정가람:tgcarrot@gmail.com, 정홍순:jhs728@gmail.com, 조민재:johnny.cho@owasp.org,허성무:issimplenet@gmail.com<br />
*Korean 2010: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Korean.pdf OWASP Top 10 2010 - Korean PDF] Hyungkeun Park, (mirrk1@gmail.com)<br />
*Spanish: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Spanish.pdf OWASP Top 10 2010 - Spanish PDF] *Daniel Cabezas Molina , Edgar Sanchez, Juan Carlos Calderon, Jose Antonio Guasch, Paulo Coronado, Rodrigo Marcos, Vicente Aguilera<br />
*Chinese: [http://www.owasp.org/images/a/a9/OWASP_Top_10_2010_Chinese_V1.0_Released.pdf OWASP Top 10 2010 - Chinese PDF] 感谢以下为中文版本做出贡献的翻译人员和审核人员: Rip Torn, 钟卫林, 高雯, 王颉, 于振东<br />
*Vietnamese: [http://owasptop10.googlecode.com/files/OWASPTop%2010%20-%202010%20Vietnamese.pdf OWASP Top 10 2010 - Vietnamese PDF] (NEW) Translation lead by Cecil Su - Translation Team: Dang Hoang Vu, Nguyen Ba Tien, Nguyen Tang Hung, Luong Dieu Phuong, Huynh Thien Tam<br />
*Hebrew (New): [[OWASP_Top10_Hebrew|OWASP Top 10 Hebrew]]. Lead by Or Katz, see translation page for list of contributors.<br />
*Arabic (New): [https://www.owasp.org/index.php/File:OWASP_Top_10_-_2013_Arabic.pdf OWASP Top 10 203 - Arabic] Translated by: Mohannad Shahat: Mohannad.Shahat@owasp.org, Fahad: @SecurityArk, Abdulellah Alsaheel: cs.saheel@gmail.com, Khalifa Alshamsi: Khs1618@gmail.com and Sabri(KING SABRI): king.sabri@gmail.com<br />
<br />
Volunteer Translation Efforts Underway: <br />
<br />
*Portuguese: carlos.j.serrao@gmail.com; taquiles@gmail.com; wagner.elias@owasp.org; victoreufrasio@gmail.com; leo.cavallari@owasp.org; victoreufrasio@gmail.com; <br />
*Greek: Konstantinos Papapanagiotou (conpap@di.uoa.gr) <br />
*Turkish: bora@abi.com.tr <br />
*Malay: cecil.su@owasp.org <br />
*Czech: petr.zavodsky@owasp-czech-republic.cz<br />
*Dutch: marinus@kuivenhoven.com<br />
*Swedish: ake.bengtsson@owasp.org<br />
* Spanish: gerardo.canedo@owasp.org<br />
<br />
= Project Details =<br />
<br />
{{:GPC_Project_Details/OWASP_Top10 | OWASP Project Identification Tab}}<br />
<br />
= How Are Companies-Projects-Vendors Using the OWASP Top 10 =<br />
<br />
Click the links for more details on each use! <br />
<br />
'''Warning''': these articles have not been rated for accuracy by OWASP. Product companies should be extremely careful about claiming to "cover" or "ensure compliance" with the OWASP Top 10. The current state-of-the-art for automated detection (scanners and static analysis) and prevention (waf) is nowhere near sufficient to claim adequate coverage of the issues in the Top 10. Nevertheless, using the Top 10 as a simple way to communicate security to end users is effective. <br />
<br />
;[http://blogs.msdn.com/b/sdl/archive/2008/05/01/sdl-and-the-owasp-top-ten.aspx Microsoft] <br />
:as a way to measure the coverage of their SDL and improve security<br />
<br />
;[http://www.nsa.gov/applications/search/index.cfm?q=owasp NSA] <br />
:in their developer guidance on web application security<br />
<br />
;[https://www.pcisecuritystandards.org/index.shtml PCI Council] <br />
:as part of the Payment Card Industry Data Security Standard (PCI DSS)<br />
<br />
;[http://community.citrix.com/display/ocb/2010/06/02/NetScaler+Application+Firewall+and+the+OWASP+Top+10+2010 Citrix] <br />
:in a guide showing how to configure their NetScalar product<br />
<br />
;[http://msdn.microsoft.com/en-us/library/dd129898.aspx Microsoft] <br />
:to show how "T10 threats are handled by the security design and test procedures of Microsoft"<br />
<br />
;[http://www.web2py.com/examples/default/security web2py] <br />
:to demonstrate the security of this Python web framework<br />
<br />
;[http://www.owasp.org/index.php/Commentary_OWASP_Top_Ten_2004_Project Oracle] <br />
:for developer awareness<br />
<br />
;[http://www.theatremanagerhelp.com/book/export/html/1640 TheatreManager] <br />
:to show how their product is secure for web use<br />
<br />
;[http://knol.google.com/k/automated-vulnerabilty-scanners-and-the-owasp-top-10# WhiteHat] <br />
:as a way to explain the coverage of their service<br />
<br />
;[http://www.imperva.com/docs/TB_SecureSphere_OWASP_2010-Top-Ten.pdf Imperva] <br />
:to show the coverage of the SecureSphere tool<br />
<br />
;[http://blog.cenzic.com/public/item/254309 Cenzic] <br />
:to enable "focused scans for compliance testing with the updated PCI standard"<br />
<br />
== Users and Adopters ==<br />
<br />
The U.S. Federal Trade Commission strongly recommends that all companies use the OWASP Top Ten and ensure that their partners do the same. In addition, the U.S. Defense Information Systems Agency (DISA) has listed the OWASP Top Ten as key best practices that should be used as part of the DoD Information Assurance Certification and Accreditation Process ([http://iase.disa.mil/diacap/ DIACAP]). <br />
<br />
In the commercial market, the [http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_PCI_Data_Security_Standard.pdf Payment Card Industry (PCI) standard] has adopted the OWASP Top Ten, and requires (among other things) that all merchants get a security code review for all their custom code. In addition, a broad range of companies and agencies around the globe are also using the OWASP Top Ten, including: <br />
<br />
*A.G. Edwards <br />
*Bank of Newport <br />
*Best Software <br />
*British Telecom <br />
*Bureau of Alcohol, Tobacco, and Firearms (ATF) <br />
*Citibank <br />
*Cboss Internet <br />
*Cognizant <br />
*Contra Costa County, CA <br />
*Corillian Corporation <br />
*Digital Payment Technologies <br />
*Foundstone Strategic Security <br />
*HP <br />
*IBM Global Services <br />
*MorphoTrust USA<br />
*National Australia Bank <br />
*Norfolk Southern <br />
*OneSAS.com <br />
*Online Business Systems <br />
*Predictive Systems <br />
*Price Waterhouse Coopers <br />
*Recreational Equipment, Inc. (REI) <br />
*SSP Solutions <br />
*Samsung SDS (Korea) <br />
*Sempra Energy <br />
*Sprint <br />
*Sun Microsystems <br />
*Swiss Federal Institute of Technology <br />
*Symantec <br />
*Texas Dept of Human Services <br />
*The Hartford <br />
*Zapatec <br />
*ZipForm <br />
*...and many others<br />
<br />
Several schools have also adopted the OWASP Top Ten as a part of their curriculum, including Michigan State University (MSU), and the University of California at San Diego (UCSD). <br />
<br />
Several open source projects have adopted the OWASP Top Ten as part of their security audits, including: <br />
<br />
*[http://plone.org Plone open source CMS project] (managed by the Plone Foundation)<br />
<br />
<br />
= Other uses and resources =<br />
<br />
* [[OWASP_Top_10/Mapping_to_WHID | OWASP Top 10 Mapped to the Web Hacking Incident Database]]<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_Release_Quality_Document]]</div>Mohannad Shahathttps://wiki.owasp.org/index.php?title=Category:OWASP_Top_Ten_Project&diff=162700Category:OWASP Top Ten Project2013-11-06T16:22:15Z<p>Mohannad Shahat: </p>
<hr />
<div>{{OWASP Book|1400974}} <br />
<br />
{{Social Media Links}}<br />
<br />
= OWASP Top 10 for 2013 =<br />
<br />
'''Welcome to the OWASP Top Ten Project''' - if you're looking for the OWASP Top 10 Mobile [[OWASP_Mobile_Security_Project#tab=Top_Ten_Mobile_Risks | Click Here]]<br />
<br />
On June 12, 2013 the OWASP Top 10 for 2013 was officially released. This version was updated based on numerous comments received during the comment period after the release candidate was released in Feb. 2013.<br />
<br />
* [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf OWASP Top 10 2013 document (PDF)].<br />
* [[Top_10_2013 | OWASP Top 10 2013 - Wiki.]]<br />
* [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013%20-%20French.pdf OWASP Top 10 2013 - French (PDF)].<br />
* [https://www.owasp.org/images/5/51/OWASP_Top_10_2013-Chinese-V1.2.pdf OWASP Top 10 2013 - Chinese (PDF)].<br />
* [https://www.owasp.org/images/2/2c/OWASP_Top_10_-_2013_Final_-_Korean.pdf OWASP Top 10 2013 - Korea (PDF)].<br />
* [http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2013_Brazilian_Portuguese.pdf OWASP Top 10 2013 - Brazilian Portuguese (PDF)].<br />
* [https://www.owasp.org/images/7/79/OWASP_Top_10_2013_JPN.pdf OWASP Top 10 2013 - Japanese (PDF)].<br />
* [http://owasptop10.googlecode.com/files/OWASP_Top-10_2013%20-%20Changes-from-2010.pptx OWASP Top 10 2013 Presentation - Focusing on What Changed Since 2010 (PPTX)]<br />
* [http://owasptop10.googlecode.com/files/OWASP_Top-10_2013%20-%20Presentation.pptx OWASP Top 10 2013 Presentation - Presenting Each Item in the Top 10 (PPTX)].<br />
<br />
<br />
The OWASP Top 10 - 2013 is as follows:<br />
<br />
* [[Top_10_2013-A1-Injection | A1 Injection]]<br />
* [[Top_10_2013-A2-Broken_Authentication_and_Session_Management | A2 Broken Authentication and Session Management]]<br />
* [[Top_10_2013-A3-Cross-Site_Scripting_(XSS) | A3 Cross-Site Scripting (XSS)]]<br />
* [[Top_10_2013-A4-Insecure_Direct_Object_References | A4 Insecure Direct Object References]]<br />
* [[Top_10_2013-A5-Security_Misconfiguration | A5 Security Misconfiguration]]<br />
* [[Top_10_2013-A6-Sensitive_Data_Exposure | A6 Sensitive Data Exposure]]<br />
* [[Top_10_2013-A7-Missing_Function_Level_Access_Control | A7 Missing Function Level Access Control]]<br />
* [[Top_10_2013-A8-Cross-Site_Request_Forgery_(CSRF) | A8 Cross-Site Request Forgery (CSRF)]]<br />
* [[Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities | A9 Using Components with Known Vulnerabilities]]<br />
* [[Top_10_2013-A10-Unvalidated_Redirects_and_Forwards | A10 Unvalidated Redirects and Forwards]]<br />
<br />
If you are interested, the methodology for how the Top 10 is produced is now documented here: [[Top_10_2013/ProjectMethodology | OWASP Top 10 Development Methodology]]<br />
<br />
Please help us make sure every developer in the ENTIRE WORLD knows about the OWASP Top 10 by helping to spread the word!!! <br />
<br />
As you help us spread the word, please emphasize: <br />
<br />
*OWASP is reaching out to developers, not just the application security community <br />
*The Top 10 is about managing risk, not just avoiding vulnerabilities <br />
*To manage these risks, organizations need an application risk management program, not just awareness training, app testing, and remediation<br />
<br />
We need to encourage organizations to get off the penetrate and patch mentality. As Jeff Williams said in his 2009 OWASP AppSec DC Keynote: “we’ll never hack our way secure – it’s going to take a culture change” for organizations to properly address application security.<br />
<br />
== Introduction ==<br />
<br />
The OWASP Top Ten provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. Versions of the 2007 and 2010 version were translated into English, French, Spanish, Japanese, Korean and Turkish and other languages. Translation efforts for the 2013 version are underway and they will be posted as they become available. <br />
<br />
We urge all companies to adopt this awareness document within their organization and start the process of ensuring that their web applications do not contain these flaws. Adopting the OWASP Top Ten is perhaps the most effective first step towards changing the software development culture within your organization into one that produces secure code.<br />
<br />
== Changes between 2010 and 2013 Editions ==<br />
<br />
The OWASP Top 10 - 2013 includes the following changes as compared to the 2010 edition:<br />
<br />
* A1 Injection<br />
* A2 Broken Authentication and Session Management (was formerly 2010-A3)<br />
* A3 Cross-Site Scripting (XSS) (was formerly 2010-A2)<br />
* A4 Insecure Direct Object References<br />
* A5 Security Misconfiguration (was formerly 2010-A6)<br />
* A6 Sensitive Data Exposure (2010-A7 Insecure Cryptographic Storage and 2010-A9 Insufficient Transport Layer Protection were merged to form 2013-A6)<br />
* A7 Missing Function Level Access Control (renamed/broadened from 2010-A8 Failure to Restrict URL Access)<br />
* A8 Cross-Site Request Forgery (CSRF) (was formerly 2010-A5)<br />
* A9 Using Components with Known Vulnerabilities (new but was part of 2010-A6 – Security Misconfiguration)<br />
* A10 Unvalidated Redirects and Forwards<br />
<br />
== 2013 Versions ==<br />
<br />
2013 Edition: <br />
<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf OWASP Top 10 2013 - PDF] <br />
*[[Top_10_2013 | OWASP Top 10 2013 - wiki]]<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013%20-%20French.pdf OWASP Top 10 2013 - French (PDF)].<br />
*[https://www.owasp.org/images/5/51/OWASP_Top_10_2013-Chinese-V1.2.pdf OWASP Top 10 2013 - Chinese (PDF)].<br />
*[https://www.owasp.org/images/2/2c/OWASP_Top_10_-_2013_Final_-_Korean.pdf OWASP Top 10 2013 - Korea (PDF)].<br />
*[http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2013_Brazilian_Portuguese.pdf OWASP Top 10 2013 - Brazilian Portuguese (PDF)].<br />
*[https://www.owasp.org/images/7/79/OWASP_Top_10_2013_JPN.pdf OWASP Top 10 2013 - Japanese (PDF)].<br />
<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013%20-%20RC1.pdf OWASP Top 10 - 2013 - Release Candidate]<br />
*[https://www.owasp.org/images/3/3d/OWASP_Top_10_-_2013_Final_Release_-_Change_Log.docx OWASP Top 10 - 2013 - Final Release - Change Log (docx)]<br />
<br />
== Feedback ==<br />
<br />
Please let us know how your organization is using the Top Ten. Include your name, organization's name, and brief description of how you use the list. Thanks for supporting OWASP! <br />
<br />
We hope you find the information in the OWASP Top Ten useful. Please contribute back to the project by sending your comments, questions, and suggestions to topten@lists.owasp.org Thanks! <br />
<br />
To join the OWASP Top Ten mailing list or view the archives, please visit the [http://lists.owasp.org/mailman/listinfo/owasp-topten subscription page.] <br />
<br />
== Project Sponsors ==<br />
<br />
The OWASP Top Ten project is sponsored by {{MemberLinks|link=http://www.aspectsecurity.com|logo=Aspect_logo_owasp.jpg}}<br />
<br />
<!-- ==== Project Identification ====<br />
{{Template:OWASP OWASP_Top10 Project}} --><br />
<br />
= OWASP Top 10 for 2010 =<br />
<br />
On April 19, 2010 the final version of the OWASP Top 10 for 2010 was released, and here is the associated [[OWASPTop10-2010-PressRelease|press release]]. This version was updated based on numerous comments received during the comment period after the release candidate was released in Nov. 2009. <br />
<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 - 2010 Document] <br />
*[[Top 10 2010|OWASP Top 10 - 2010 - wiki]] <br />
*[http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx OWASP Top 10 - 2010 Presentation]<br />
*[http://blip.tv/owasp-appsec-conference-in-europe/day2_track1_1430-1505-3936900 OWASP Top 10 Video of the Presentation above - this focused alot on the Top 10 for 2010 approach, rather than the details. (From OWASP AppSec EU 2010)]<br />
*[http://www.vimeo.com/9006276 OWASP Top 10 Video of this Presentation when the Top 10 for 2010 was 1st released for comment - this goes through each item in the Top 10. (From OWASP AppSec DC 2009)]<br />
<br />
The OWASP Top 10 Web Application Security Risks for 2010 are: <br />
<br />
*[[Top_10_2010-A1|A1: Injection]]<br />
*[[Top_10_2010-A2|A2: Cross-Site Scripting (XSS)]]<br />
*[[Top_10_2010-A3|A3: Broken Authentication and Session Management]]<br />
*[[Top_10_2010-A4|A4: Insecure Direct Object References]]<br />
*[[Top_10_2010-A5|A5: Cross-Site Request Forgery (CSRF)]]<br />
*[[Top_10_2010-A6|A6: Security Misconfiguration]]<br />
*[[Top_10_2010-A7|A7: Insecure Cryptographic Storage]]<br />
*[[Top_10_2010-A8|A8: Failure to Restrict URL Access]]<br />
*[[Top_10_2010-A9|A9: Insufficient Transport Layer Protection]]<br />
*[[Top_10_2010-A10|A10: Unvalidated Redirects and Forwards]]<br />
<br />
== Introduction ==<br />
<br />
The OWASP Top Ten provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. Versions of the 2007 were translated into English, French, Spanish, Japanese, Korean and Turkish and other languages and the 2010 version was translated into even more languages. See below for all the translated versions.<br />
<br />
== 2010 Versions ==<br />
<br />
2010 Edition: <br />
<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 2010 - PDF] <br />
*[[Top 10 2010|OWASP Top 10 2010 - wiki]]<br />
<br />
2010 Translations: <br />
<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20French.pdf OWASP Top 10 2010 - French PDF] <br />
*[https://www.owasp.org/images/b/b8/OWASPTop10_DE_Version_1_0.pdf OWASP Top 10 2010 - German PDF]<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Indonesian.pdf OWASP Top 10 2010 - Indonesian PDF]<br />
*[http://www.owasp.org/images/f/f9/OWASP_Top_10_-_2010_ITA.pdf OWASP Top 10 2010 - Italian PDF]<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Japanese-A4.pdf OWASP Top 10 2010 - Japanese PDF]<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Korean.pdf OWASP Top 10 2010 - Korean PDF]<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Spanish.pdf OWASP Top 10 2010 - Spanish PDF]<br />
*[http://www.owasp.org/images/8/86/OWASP_Top_10_-_2010_FINAL_%28spanish%29.pptx OWASP Top 10 2010 - Spanish PPT]<br />
*[http://www.owasp.org/images/a/a9/OWASP_Top_10_2010_Chinese_V1.0_Released.pdf OWASP Top 10 2010 - Chinese PDF / 这里下载PDF格式文档]<br />
*[http://owasptop10.googlecode.com/files/OWASPTop%2010%20-%202010%20Vietnamese.pdf OWASP Top 10 2010 - Vietnamese PDF]<br />
*[https://www.owasp.org/images/c/cd/OWASP_Top_10_Heb.pdf OWASP Top 10 2010 - Hebrew PDF]<br />
<br />
2010 Release Candidate: <br />
<br />
*[http://www.owasp.org/index.php/File:OWASP_T10_-_2010_rc1.pdf OWASP Top 10 2010 Release Candidate] <br />
*[http://www.owasp.org/images/e/e1/OWASP_Top_10_RC-Public_Comments.docx OWASP Top 10 2010 Release Candidate Comments], except for one set of scanned comments [http://www.owasp.org/images/2/2e/OWASP_T10_-_2010_rc1_cmts_Kai_Jendrian.pdf which are here].<br />
<br />
Previous versions: <br />
<br />
*[http://www.owasp.org/images/e/e8/OWASP_Top_10_2007.pdf OWASP Top 10 2007 - PDF] <br />
*[[Top 10 2007|OWASP Top 10 2007 - wiki]] <br />
*[http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project#tab=Project_Details OWASP Top 10 2007 - PDF Translations are here] <br />
*[[Top 10 2004|OWASP Top 10 2004 - wiki]]<br />
<br />
<br />
= Translation Efforts =<br />
<br />
Efforts are underway in numerous languages to translate the OWASP Top 10 for 2013. If you are interested in helping, please contact the other members of the team for the language you are interested in contributing to, or if you don't see your language listed, please let me know you want to help and we'll form a volunteer group for your language too!!<br />
<br />
Here is the original source document for the [https://www.owasp.org/images/4/4d/OWASP_Top_10_-_2013_Final_-_English.pptx OWASP Top 10 - 2013 which is in PowerPoint]. Please use this document as the basis for your translation efforts.<br />
<br />
Completed Translations:<br />
<br />
*French 2013: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013%20-%20French.pdf OWASP Top 10 2013 - French PDF] Ludovic Petit: Ludovic.Petit@owasp.org, Sébastien Gioria: Sebastien.Gioria@owasp.org, Erwan Abgrall: g4l4drim@gmail.com, Benjamin Avet: benjamin.avet@gmail.com, Jocelyn Aubert: jocelyn.aubert@owasp.org, Damien Azambour: damien.azambourg@owasp.org, Aline Barthelemy: aline.barthelemy@fr.abb.com, Moulay Abdsamad Belghiti: abdsamad.belghiti@gmail.com, Gregory Blanc: gregory.blanc@gmail.com, Clément Capel: clement.capel@sfr.com, Etienne Capgras: Etienne.capgras@solucom.fr, Julien Cayssol: julien@aqwz.com, Antonio Fontes: antonio.fontes@owasp.org, Ely de Travieso: Ely.detravieso@owasp.org, Nicolas Grégoire: nicolas.gregoire@agarri.fr, Valérie Lasserre: valerie.lasserre@gmx.fr, Antoine Laureau: antoine.laureau@owasp.org, Guillaume Lopes: lopes.guillaume@free.fr, Gilles Morain: gilles.morain@gmail.com, Christophe Pekar: christophe.pekar@owasp.org, Olivier Perret: perrets@free.fr, Michel Prunet: michel.prunet@owasp.org, Olivier Revollat: revollat@gmail.com, Aymeric Tabourin: aymeric.tabourin@orange.com<br />
*Brazilian Portuguese 2013: [http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2013_Brazilian_Portuguese.pdf OWASP Top 10 2013 - Brazilian Portuguese (PDF)] Translated by: Carlos Serrão, Marcio Machry, Ícaro Evangelista de Torres, Carlo Marcelo Revoredo da Silva, Luiz Vieira, Suely Ramalho de Mello, Jorge Olímpia, Daniel Quintão, Mauro Risonho de Paula Assumpção, Marcelo Lopes, Caio Dias, Rodrigo Gularte<br />
*French 2010: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20French.pdf OWASP Top 10 2010 - French PDF] ludovic.petit@owasp.org, sebastien.gioria@owasp.org, antonio.fontes@owasp.org, benoit.guerette@owasp.org, Jocelyn.aubert@owasp.org, Eric.Garreau@gemalto.com, Guillaume.Huysmans@gemalto.com <br />
*German: [https://www.owasp.org/images/b/b8/OWASPTop10_DE_Version_1_0.pdf OWASP Top 10 - German PDF] top10@owasp.de which is Frank Dölitzscher, Torsten Gigler, Tobias Glemser, Dr. Ingo Hanke, Thomas Herzog, [[User:Kai_Jendrian|Kai Jendrian]], [[User:Ralf_Reinhardt|Ralf Reinhardt]], Michael Schäfer<br />
*Indonesian: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Indonesian.pdf OWASP Top 10 2010 - Indonesian PDF] Tedi Heriyanto (coordinator), Lathifah Arief, Tri A Sundara, Zaki Akhmad<br />
*Italian: [http://www.owasp.org/images/f/f9/OWASP_Top_10_-_2010_ITA.pdf OWASP Top 10 2010 - Italian PDF] Simone Onofri, Paolo Perego, Massimo Biagiotti, Edoardo Viscosi, Salvatore Fiorillo, Roberto Battistoni, Loredana Mancini, Michele Nesta, Paco Schiaffella, Lucilla Mancini, Gerardo Di Giacomo, Valentino Squilloni<br />
*Japanese: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Japanese-A4.pdf OWASP Top 10 2010 - Japanese PDF] cecil.su@owasp.org, Dr. Masayuki Hisada, Yoshimasa Kawamoto, Ryusuke Sakamoto, Keisuke Seki, Shin Umemoto, Takashi Arima<br />
*Korean 2013: [https://www.owasp.org/images/2/2c/OWASP_Top_10_-_2013_Final_-_Korean.pdf OWASP Top 10 2013 - Korean PDF] (이름가나다순) 김병효:byounghyo.kim@owasp.org, 김지원:jiwon.kim@owasp.or.kr, 김효근:katuri@katuri.kr, 박정훈:xelion@gmail.com, 성영모:youngmo.seong@owasp.or.kr, 성윤기:yune.sung@owasp.org, 송보영:boyoung.song@owasp.or.kr, 송창기:factor7@naver.com, 유정호:griphis77@gmail.com, 장상민:sangmin.jang@owasp.or.kr, 전영재:youngjae.jeon@owasp.org, 정가람:tgcarrot@gmail.com, 정홍순:jhs728@gmail.com, 조민재:johnny.cho@owasp.org,허성무:issimplenet@gmail.com<br />
*Korean 2010: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Korean.pdf OWASP Top 10 2010 - Korean PDF] Hyungkeun Park, (mirrk1@gmail.com)<br />
*Spanish: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Spanish.pdf OWASP Top 10 2010 - Spanish PDF] *Daniel Cabezas Molina , Edgar Sanchez, Juan Carlos Calderon, Jose Antonio Guasch, Paulo Coronado, Rodrigo Marcos, Vicente Aguilera<br />
*Chinese: [http://www.owasp.org/images/a/a9/OWASP_Top_10_2010_Chinese_V1.0_Released.pdf OWASP Top 10 2010 - Chinese PDF] 感谢以下为中文版本做出贡献的翻译人员和审核人员: Rip Torn, 钟卫林, 高雯, 王颉, 于振东<br />
*Vietnamese: [http://owasptop10.googlecode.com/files/OWASPTop%2010%20-%202010%20Vietnamese.pdf OWASP Top 10 2010 - Vietnamese PDF] (NEW) Translation lead by Cecil Su - Translation Team: Dang Hoang Vu, Nguyen Ba Tien, Nguyen Tang Hung, Luong Dieu Phuong, Huynh Thien Tam<br />
*Hebrew (New): [[OWASP_Top10_Hebrew|OWASP Top 10 Hebrew]]. Lead by Or Katz, see translation page for list of contributors.<br />
*Arabic (New): [[Image:OWASP_Top_10_-_2013_Arabic.pdf|OWASP Top 10 203]] Translated by: Mohannad Shahat: Mohannad.Shahat@owasp.org, Fahad: @SecurityArk, Abdulellah Alsaheel: cs.saheel@gmail.com, Khalifa Alshamsi: Khs1618@gmail.com and Sabri(KING SABRI): king.sabri@gmail.com<br />
<br />
Volunteer Translation Efforts Underway: <br />
<br />
*Portuguese: carlos.j.serrao@gmail.com; taquiles@gmail.com; wagner.elias@owasp.org; victoreufrasio@gmail.com; leo.cavallari@owasp.org; victoreufrasio@gmail.com; <br />
*Greek: Konstantinos Papapanagiotou (conpap@di.uoa.gr) <br />
*Turkish: bora@abi.com.tr <br />
*Malay: cecil.su@owasp.org <br />
*Czech: petr.zavodsky@owasp-czech-republic.cz<br />
*Dutch: marinus@kuivenhoven.com<br />
*Swedish: ake.bengtsson@owasp.org<br />
* Spanish: gerardo.canedo@owasp.org<br />
<br />
= Project Details =<br />
<br />
{{:GPC_Project_Details/OWASP_Top10 | OWASP Project Identification Tab}}<br />
<br />
= How Are Companies-Projects-Vendors Using the OWASP Top 10 =<br />
<br />
Click the links for more details on each use! <br />
<br />
'''Warning''': these articles have not been rated for accuracy by OWASP. Product companies should be extremely careful about claiming to "cover" or "ensure compliance" with the OWASP Top 10. The current state-of-the-art for automated detection (scanners and static analysis) and prevention (waf) is nowhere near sufficient to claim adequate coverage of the issues in the Top 10. Nevertheless, using the Top 10 as a simple way to communicate security to end users is effective. <br />
<br />
;[http://blogs.msdn.com/b/sdl/archive/2008/05/01/sdl-and-the-owasp-top-ten.aspx Microsoft] <br />
:as a way to measure the coverage of their SDL and improve security<br />
<br />
;[http://www.nsa.gov/applications/search/index.cfm?q=owasp NSA] <br />
:in their developer guidance on web application security<br />
<br />
;[https://www.pcisecuritystandards.org/index.shtml PCI Council] <br />
:as part of the Payment Card Industry Data Security Standard (PCI DSS)<br />
<br />
;[http://community.citrix.com/display/ocb/2010/06/02/NetScaler+Application+Firewall+and+the+OWASP+Top+10+2010 Citrix] <br />
:in a guide showing how to configure their NetScalar product<br />
<br />
;[http://msdn.microsoft.com/en-us/library/dd129898.aspx Microsoft] <br />
:to show how "T10 threats are handled by the security design and test procedures of Microsoft"<br />
<br />
;[http://www.web2py.com/examples/default/security web2py] <br />
:to demonstrate the security of this Python web framework<br />
<br />
;[http://www.owasp.org/index.php/Commentary_OWASP_Top_Ten_2004_Project Oracle] <br />
:for developer awareness<br />
<br />
;[http://www.theatremanagerhelp.com/book/export/html/1640 TheatreManager] <br />
:to show how their product is secure for web use<br />
<br />
;[http://knol.google.com/k/automated-vulnerabilty-scanners-and-the-owasp-top-10# WhiteHat] <br />
:as a way to explain the coverage of their service<br />
<br />
;[http://www.imperva.com/docs/TB_SecureSphere_OWASP_2010-Top-Ten.pdf Imperva] <br />
:to show the coverage of the SecureSphere tool<br />
<br />
;[http://blog.cenzic.com/public/item/254309 Cenzic] <br />
:to enable "focused scans for compliance testing with the updated PCI standard"<br />
<br />
== Users and Adopters ==<br />
<br />
The U.S. Federal Trade Commission strongly recommends that all companies use the OWASP Top Ten and ensure that their partners do the same. In addition, the U.S. Defense Information Systems Agency (DISA) has listed the OWASP Top Ten as key best practices that should be used as part of the DoD Information Assurance Certification and Accreditation Process ([http://iase.disa.mil/diacap/ DIACAP]). <br />
<br />
In the commercial market, the [http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_PCI_Data_Security_Standard.pdf Payment Card Industry (PCI) standard] has adopted the OWASP Top Ten, and requires (among other things) that all merchants get a security code review for all their custom code. In addition, a broad range of companies and agencies around the globe are also using the OWASP Top Ten, including: <br />
<br />
*A.G. Edwards <br />
*Bank of Newport <br />
*Best Software <br />
*British Telecom <br />
*Bureau of Alcohol, Tobacco, and Firearms (ATF) <br />
*Citibank <br />
*Cboss Internet <br />
*Cognizant <br />
*Contra Costa County, CA <br />
*Corillian Corporation <br />
*Digital Payment Technologies <br />
*Foundstone Strategic Security <br />
*HP <br />
*IBM Global Services <br />
*MorphoTrust USA<br />
*National Australia Bank <br />
*Norfolk Southern <br />
*OneSAS.com <br />
*Online Business Systems <br />
*Predictive Systems <br />
*Price Waterhouse Coopers <br />
*Recreational Equipment, Inc. (REI) <br />
*SSP Solutions <br />
*Samsung SDS (Korea) <br />
*Sempra Energy <br />
*Sprint <br />
*Sun Microsystems <br />
*Swiss Federal Institute of Technology <br />
*Symantec <br />
*Texas Dept of Human Services <br />
*The Hartford <br />
*Zapatec <br />
*ZipForm <br />
*...and many others<br />
<br />
Several schools have also adopted the OWASP Top Ten as a part of their curriculum, including Michigan State University (MSU), and the University of California at San Diego (UCSD). <br />
<br />
Several open source projects have adopted the OWASP Top Ten as part of their security audits, including: <br />
<br />
*[http://plone.org Plone open source CMS project] (managed by the Plone Foundation)<br />
<br />
<br />
= Other uses and resources =<br />
<br />
* [[OWASP_Top_10/Mapping_to_WHID | OWASP Top 10 Mapped to the Web Hacking Incident Database]]<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_Release_Quality_Document]]</div>Mohannad Shahathttps://wiki.owasp.org/index.php?title=File:OWASP_Top_10_-_2013_Arabic.pdf&diff=162698File:OWASP Top 10 - 2013 Arabic.pdf2013-11-06T16:16:32Z<p>Mohannad Shahat: OWASP Top 10 2013 translation to Arabic (final)</p>
<hr />
<div>OWASP Top 10 2013 translation to Arabic (final)</div>Mohannad Shahathttps://wiki.owasp.org/index.php?title=Category:OWASP_Top_Ten_Project&diff=162625Category:OWASP Top Ten Project2013-11-06T12:07:13Z<p>Mohannad Shahat: </p>
<hr />
<div>{{OWASP Book|1400974}} <br />
<br />
{{Social Media Links}}<br />
<br />
= OWASP Top 10 for 2013 =<br />
<br />
'''Welcome to the OWASP Top Ten Project''' - if you're looking for the OWASP Top 10 Mobile [[OWASP_Mobile_Security_Project#tab=Top_Ten_Mobile_Risks | Click Here]]<br />
<br />
On June 12, 2013 the OWASP Top 10 for 2013 was officially released. This version was updated based on numerous comments received during the comment period after the release candidate was released in Feb. 2013.<br />
<br />
* [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf OWASP Top 10 2013 document (PDF)].<br />
* [[Top_10_2013 | OWASP Top 10 2013 - Wiki.]]<br />
* [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013%20-%20French.pdf OWASP Top 10 2013 - French (PDF)].<br />
* [https://www.owasp.org/images/5/51/OWASP_Top_10_2013-Chinese-V1.2.pdf OWASP Top 10 2013 - Chinese (PDF)].<br />
* [https://www.owasp.org/images/2/2c/OWASP_Top_10_-_2013_Final_-_Korean.pdf OWASP Top 10 2013 - Korea (PDF)].<br />
* [http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2013_Brazilian_Portuguese.pdf OWASP Top 10 2013 - Brazilian Portuguese (PDF)].<br />
* [https://www.owasp.org/images/7/79/OWASP_Top_10_2013_JPN.pdf OWASP Top 10 2013 - Japanese (PDF)].<br />
* [http://owasptop10.googlecode.com/files/OWASP_Top-10_2013%20-%20Changes-from-2010.pptx OWASP Top 10 2013 Presentation - Focusing on What Changed Since 2010 (PPTX)]<br />
* [http://owasptop10.googlecode.com/files/OWASP_Top-10_2013%20-%20Presentation.pptx OWASP Top 10 2013 Presentation - Presenting Each Item in the Top 10 (PPTX)].<br />
<br />
<br />
The OWASP Top 10 - 2013 is as follows:<br />
<br />
* [[Top_10_2013-A1-Injection | A1 Injection]]<br />
* [[Top_10_2013-A2-Broken_Authentication_and_Session_Management | A2 Broken Authentication and Session Management]]<br />
* [[Top_10_2013-A3-Cross-Site_Scripting_(XSS) | A3 Cross-Site Scripting (XSS)]]<br />
* [[Top_10_2013-A4-Insecure_Direct_Object_References | A4 Insecure Direct Object References]]<br />
* [[Top_10_2013-A5-Security_Misconfiguration | A5 Security Misconfiguration]]<br />
* [[Top_10_2013-A6-Sensitive_Data_Exposure | A6 Sensitive Data Exposure]]<br />
* [[Top_10_2013-A7-Missing_Function_Level_Access_Control | A7 Missing Function Level Access Control]]<br />
* [[Top_10_2013-A8-Cross-Site_Request_Forgery_(CSRF) | A8 Cross-Site Request Forgery (CSRF)]]<br />
* [[Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities | A9 Using Components with Known Vulnerabilities]]<br />
* [[Top_10_2013-A10-Unvalidated_Redirects_and_Forwards | A10 Unvalidated Redirects and Forwards]]<br />
<br />
If you are interested, the methodology for how the Top 10 is produced is now documented here: [[Top_10_2013/ProjectMethodology | OWASP Top 10 Development Methodology]]<br />
<br />
Please help us make sure every developer in the ENTIRE WORLD knows about the OWASP Top 10 by helping to spread the word!!! <br />
<br />
As you help us spread the word, please emphasize: <br />
<br />
*OWASP is reaching out to developers, not just the application security community <br />
*The Top 10 is about managing risk, not just avoiding vulnerabilities <br />
*To manage these risks, organizations need an application risk management program, not just awareness training, app testing, and remediation<br />
<br />
We need to encourage organizations to get off the penetrate and patch mentality. As Jeff Williams said in his 2009 OWASP AppSec DC Keynote: “we’ll never hack our way secure – it’s going to take a culture change” for organizations to properly address application security.<br />
<br />
== Introduction ==<br />
<br />
The OWASP Top Ten provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. Versions of the 2007 and 2010 version were translated into English, French, Spanish, Japanese, Korean and Turkish and other languages. Translation efforts for the 2013 version are underway and they will be posted as they become available. <br />
<br />
We urge all companies to adopt this awareness document within their organization and start the process of ensuring that their web applications do not contain these flaws. Adopting the OWASP Top Ten is perhaps the most effective first step towards changing the software development culture within your organization into one that produces secure code.<br />
<br />
== Changes between 2010 and 2013 Editions ==<br />
<br />
The OWASP Top 10 - 2013 includes the following changes as compared to the 2010 edition:<br />
<br />
* A1 Injection<br />
* A2 Broken Authentication and Session Management (was formerly 2010-A3)<br />
* A3 Cross-Site Scripting (XSS) (was formerly 2010-A2)<br />
* A4 Insecure Direct Object References<br />
* A5 Security Misconfiguration (was formerly 2010-A6)<br />
* A6 Sensitive Data Exposure (2010-A7 Insecure Cryptographic Storage and 2010-A9 Insufficient Transport Layer Protection were merged to form 2013-A6)<br />
* A7 Missing Function Level Access Control (renamed/broadened from 2010-A8 Failure to Restrict URL Access)<br />
* A8 Cross-Site Request Forgery (CSRF) (was formerly 2010-A5)<br />
* A9 Using Components with Known Vulnerabilities (new but was part of 2010-A6 – Security Misconfiguration)<br />
* A10 Unvalidated Redirects and Forwards<br />
<br />
== 2013 Versions ==<br />
<br />
2013 Edition: <br />
<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf OWASP Top 10 2013 - PDF] <br />
*[[Top_10_2013 | OWASP Top 10 2013 - wiki]]<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013%20-%20French.pdf OWASP Top 10 2013 - French (PDF)].<br />
*[https://www.owasp.org/images/5/51/OWASP_Top_10_2013-Chinese-V1.2.pdf OWASP Top 10 2013 - Chinese (PDF)].<br />
*[https://www.owasp.org/images/2/2c/OWASP_Top_10_-_2013_Final_-_Korean.pdf OWASP Top 10 2013 - Korea (PDF)].<br />
*[http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2013_Brazilian_Portuguese.pdf OWASP Top 10 2013 - Brazilian Portuguese (PDF)].<br />
*[https://www.owasp.org/images/7/79/OWASP_Top_10_2013_JPN.pdf OWASP Top 10 2013 - Japanese (PDF)].<br />
<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013%20-%20RC1.pdf OWASP Top 10 - 2013 - Release Candidate]<br />
*[https://www.owasp.org/images/3/3d/OWASP_Top_10_-_2013_Final_Release_-_Change_Log.docx OWASP Top 10 - 2013 - Final Release - Change Log (docx)]<br />
<br />
== Feedback ==<br />
<br />
Please let us know how your organization is using the Top Ten. Include your name, organization's name, and brief description of how you use the list. Thanks for supporting OWASP! <br />
<br />
We hope you find the information in the OWASP Top Ten useful. Please contribute back to the project by sending your comments, questions, and suggestions to topten@lists.owasp.org Thanks! <br />
<br />
To join the OWASP Top Ten mailing list or view the archives, please visit the [http://lists.owasp.org/mailman/listinfo/owasp-topten subscription page.] <br />
<br />
== Project Sponsors ==<br />
<br />
The OWASP Top Ten project is sponsored by {{MemberLinks|link=http://www.aspectsecurity.com|logo=Aspect_logo_owasp.jpg}}<br />
<br />
<!-- ==== Project Identification ====<br />
{{Template:OWASP OWASP_Top10 Project}} --><br />
<br />
= OWASP Top 10 for 2010 =<br />
<br />
On April 19, 2010 the final version of the OWASP Top 10 for 2010 was released, and here is the associated [[OWASPTop10-2010-PressRelease|press release]]. This version was updated based on numerous comments received during the comment period after the release candidate was released in Nov. 2009. <br />
<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 - 2010 Document] <br />
*[[Top 10 2010|OWASP Top 10 - 2010 - wiki]] <br />
*[http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx OWASP Top 10 - 2010 Presentation]<br />
*[http://blip.tv/owasp-appsec-conference-in-europe/day2_track1_1430-1505-3936900 OWASP Top 10 Video of the Presentation above - this focused alot on the Top 10 for 2010 approach, rather than the details. (From OWASP AppSec EU 2010)]<br />
*[http://www.vimeo.com/9006276 OWASP Top 10 Video of this Presentation when the Top 10 for 2010 was 1st released for comment - this goes through each item in the Top 10. (From OWASP AppSec DC 2009)]<br />
<br />
The OWASP Top 10 Web Application Security Risks for 2010 are: <br />
<br />
*[[Top_10_2010-A1|A1: Injection]]<br />
*[[Top_10_2010-A2|A2: Cross-Site Scripting (XSS)]]<br />
*[[Top_10_2010-A3|A3: Broken Authentication and Session Management]]<br />
*[[Top_10_2010-A4|A4: Insecure Direct Object References]]<br />
*[[Top_10_2010-A5|A5: Cross-Site Request Forgery (CSRF)]]<br />
*[[Top_10_2010-A6|A6: Security Misconfiguration]]<br />
*[[Top_10_2010-A7|A7: Insecure Cryptographic Storage]]<br />
*[[Top_10_2010-A8|A8: Failure to Restrict URL Access]]<br />
*[[Top_10_2010-A9|A9: Insufficient Transport Layer Protection]]<br />
*[[Top_10_2010-A10|A10: Unvalidated Redirects and Forwards]]<br />
<br />
== Introduction ==<br />
<br />
The OWASP Top Ten provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. Versions of the 2007 were translated into English, French, Spanish, Japanese, Korean and Turkish and other languages and the 2010 version was translated into even more languages. See below for all the translated versions.<br />
<br />
== 2010 Versions ==<br />
<br />
2010 Edition: <br />
<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 2010 - PDF] <br />
*[[Top 10 2010|OWASP Top 10 2010 - wiki]]<br />
<br />
2010 Translations: <br />
<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20French.pdf OWASP Top 10 2010 - French PDF] <br />
*[https://www.owasp.org/images/b/b8/OWASPTop10_DE_Version_1_0.pdf OWASP Top 10 2010 - German PDF]<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Indonesian.pdf OWASP Top 10 2010 - Indonesian PDF]<br />
*[http://www.owasp.org/images/f/f9/OWASP_Top_10_-_2010_ITA.pdf OWASP Top 10 2010 - Italian PDF]<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Japanese-A4.pdf OWASP Top 10 2010 - Japanese PDF]<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Korean.pdf OWASP Top 10 2010 - Korean PDF]<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Spanish.pdf OWASP Top 10 2010 - Spanish PDF]<br />
*[http://www.owasp.org/images/8/86/OWASP_Top_10_-_2010_FINAL_%28spanish%29.pptx OWASP Top 10 2010 - Spanish PPT]<br />
*[http://www.owasp.org/images/a/a9/OWASP_Top_10_2010_Chinese_V1.0_Released.pdf OWASP Top 10 2010 - Chinese PDF / 这里下载PDF格式文档]<br />
*[http://owasptop10.googlecode.com/files/OWASPTop%2010%20-%202010%20Vietnamese.pdf OWASP Top 10 2010 - Vietnamese PDF]<br />
*[https://www.owasp.org/images/c/cd/OWASP_Top_10_Heb.pdf OWASP Top 10 2010 - Hebrew PDF]<br />
<br />
2010 Release Candidate: <br />
<br />
*[http://www.owasp.org/index.php/File:OWASP_T10_-_2010_rc1.pdf OWASP Top 10 2010 Release Candidate] <br />
*[http://www.owasp.org/images/e/e1/OWASP_Top_10_RC-Public_Comments.docx OWASP Top 10 2010 Release Candidate Comments], except for one set of scanned comments [http://www.owasp.org/images/2/2e/OWASP_T10_-_2010_rc1_cmts_Kai_Jendrian.pdf which are here].<br />
<br />
Previous versions: <br />
<br />
*[http://www.owasp.org/images/e/e8/OWASP_Top_10_2007.pdf OWASP Top 10 2007 - PDF] <br />
*[[Top 10 2007|OWASP Top 10 2007 - wiki]] <br />
*[http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project#tab=Project_Details OWASP Top 10 2007 - PDF Translations are here] <br />
*[[Top 10 2004|OWASP Top 10 2004 - wiki]]<br />
<br />
<br />
= Translation Efforts =<br />
<br />
Efforts are underway in numerous languages to translate the OWASP Top 10 for 2013. If you are interested in helping, please contact the other members of the team for the language you are interested in contributing to, or if you don't see your language listed, please let me know you want to help and we'll form a volunteer group for your language too!!<br />
<br />
Here is the original source document for the [https://www.owasp.org/images/4/4d/OWASP_Top_10_-_2013_Final_-_English.pptx OWASP Top 10 - 2013 which is in PowerPoint]. Please use this document as the basis for your translation efforts.<br />
<br />
Completed Translations:<br />
<br />
*French 2013: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013%20-%20French.pdf OWASP Top 10 2013 - French PDF] Ludovic Petit: Ludovic.Petit@owasp.org, Sébastien Gioria: Sebastien.Gioria@owasp.org, Erwan Abgrall: g4l4drim@gmail.com, Benjamin Avet: benjamin.avet@gmail.com, Jocelyn Aubert: jocelyn.aubert@owasp.org, Damien Azambour: damien.azambourg@owasp.org, Aline Barthelemy: aline.barthelemy@fr.abb.com, Moulay Abdsamad Belghiti: abdsamad.belghiti@gmail.com, Gregory Blanc: gregory.blanc@gmail.com, Clément Capel: clement.capel@sfr.com, Etienne Capgras: Etienne.capgras@solucom.fr, Julien Cayssol: julien@aqwz.com, Antonio Fontes: antonio.fontes@owasp.org, Ely de Travieso: Ely.detravieso@owasp.org, Nicolas Grégoire: nicolas.gregoire@agarri.fr, Valérie Lasserre: valerie.lasserre@gmx.fr, Antoine Laureau: antoine.laureau@owasp.org, Guillaume Lopes: lopes.guillaume@free.fr, Gilles Morain: gilles.morain@gmail.com, Christophe Pekar: christophe.pekar@owasp.org, Olivier Perret: perrets@free.fr, Michel Prunet: michel.prunet@owasp.org, Olivier Revollat: revollat@gmail.com, Aymeric Tabourin: aymeric.tabourin@orange.com<br />
*Brazilian Portuguese 2013: [http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2013_Brazilian_Portuguese.pdf OWASP Top 10 2013 - Brazilian Portuguese (PDF)] Translated by: Carlos Serrão, Marcio Machry, Ícaro Evangelista de Torres, Carlo Marcelo Revoredo da Silva, Luiz Vieira, Suely Ramalho de Mello, Jorge Olímpia, Daniel Quintão, Mauro Risonho de Paula Assumpção, Marcelo Lopes, Caio Dias, Rodrigo Gularte<br />
*French 2010: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20French.pdf OWASP Top 10 2010 - French PDF] ludovic.petit@owasp.org, sebastien.gioria@owasp.org, antonio.fontes@owasp.org, benoit.guerette@owasp.org, Jocelyn.aubert@owasp.org, Eric.Garreau@gemalto.com, Guillaume.Huysmans@gemalto.com <br />
*German: [https://www.owasp.org/images/b/b8/OWASPTop10_DE_Version_1_0.pdf OWASP Top 10 - German PDF] top10@owasp.de which is Frank Dölitzscher, Torsten Gigler, Tobias Glemser, Dr. Ingo Hanke, Thomas Herzog, [[User:Kai_Jendrian|Kai Jendrian]], [[User:Ralf_Reinhardt|Ralf Reinhardt]], Michael Schäfer<br />
*Indonesian: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Indonesian.pdf OWASP Top 10 2010 - Indonesian PDF] Tedi Heriyanto (coordinator), Lathifah Arief, Tri A Sundara, Zaki Akhmad<br />
*Italian: [http://www.owasp.org/images/f/f9/OWASP_Top_10_-_2010_ITA.pdf OWASP Top 10 2010 - Italian PDF] Simone Onofri, Paolo Perego, Massimo Biagiotti, Edoardo Viscosi, Salvatore Fiorillo, Roberto Battistoni, Loredana Mancini, Michele Nesta, Paco Schiaffella, Lucilla Mancini, Gerardo Di Giacomo, Valentino Squilloni<br />
*Japanese: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Japanese-A4.pdf OWASP Top 10 2010 - Japanese PDF] cecil.su@owasp.org, Dr. Masayuki Hisada, Yoshimasa Kawamoto, Ryusuke Sakamoto, Keisuke Seki, Shin Umemoto, Takashi Arima<br />
*Korean 2013: [https://www.owasp.org/images/2/2c/OWASP_Top_10_-_2013_Final_-_Korean.pdf OWASP Top 10 2013 - Korean PDF] (이름가나다순) 김병효:byounghyo.kim@owasp.org, 김지원:jiwon.kim@owasp.or.kr, 김효근:katuri@katuri.kr, 박정훈:xelion@gmail.com, 성영모:youngmo.seong@owasp.or.kr, 성윤기:yune.sung@owasp.org, 송보영:boyoung.song@owasp.or.kr, 송창기:factor7@naver.com, 유정호:griphis77@gmail.com, 장상민:sangmin.jang@owasp.or.kr, 전영재:youngjae.jeon@owasp.org, 정가람:tgcarrot@gmail.com, 정홍순:jhs728@gmail.com, 조민재:johnny.cho@owasp.org,허성무:issimplenet@gmail.com<br />
*Korean 2010: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Korean.pdf OWASP Top 10 2010 - Korean PDF] Hyungkeun Park, (mirrk1@gmail.com)<br />
*Spanish: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Spanish.pdf OWASP Top 10 2010 - Spanish PDF] *Daniel Cabezas Molina , Edgar Sanchez, Juan Carlos Calderon, Jose Antonio Guasch, Paulo Coronado, Rodrigo Marcos, Vicente Aguilera<br />
*Chinese: [http://www.owasp.org/images/a/a9/OWASP_Top_10_2010_Chinese_V1.0_Released.pdf OWASP Top 10 2010 - Chinese PDF] 感谢以下为中文版本做出贡献的翻译人员和审核人员: Rip Torn, 钟卫林, 高雯, 王颉, 于振东<br />
*Vietnamese: [http://owasptop10.googlecode.com/files/OWASPTop%2010%20-%202010%20Vietnamese.pdf OWASP Top 10 2010 - Vietnamese PDF] (NEW) Translation lead by Cecil Su - Translation Team: Dang Hoang Vu, Nguyen Ba Tien, Nguyen Tang Hung, Luong Dieu Phuong, Huynh Thien Tam<br />
*Hebrew (New): [[OWASP_Top10_Hebrew|OWASP Top 10 Hebrew]]. Lead by Or Katz, see translation page for list of contributors.<br />
<br />
Volunteer Translation Efforts Underway: <br />
<br />
*Portuguese: carlos.j.serrao@gmail.com; taquiles@gmail.com; wagner.elias@owasp.org; victoreufrasio@gmail.com; leo.cavallari@owasp.org; victoreufrasio@gmail.com; <br />
*Greek: Konstantinos Papapanagiotou (conpap@di.uoa.gr) <br />
*Turkish: bora@abi.com.tr <br />
*Malay: cecil.su@owasp.org <br />
*Czech: petr.zavodsky@owasp-czech-republic.cz<br />
*Dutch: marinus@kuivenhoven.com<br />
*Arabic: Translated by: Mohannad Shahat: Mohannad.Shahat@owasp.org, Fahad: @SecurityArk, Abdulellah Alsaheel: cs.saheel@gmail.com, Khalifa Alshamsi: Khs1618@gmail.com and Sabri(KING SABRI): king.sabri@gmail.com<br />
*Swedish: ake.bengtsson@owasp.org<br />
* Spanish: gerardo.canedo@owasp.org<br />
<br />
= Project Details =<br />
<br />
{{:GPC_Project_Details/OWASP_Top10 | OWASP Project Identification Tab}}<br />
<br />
= How Are Companies-Projects-Vendors Using the OWASP Top 10 =<br />
<br />
Click the links for more details on each use! <br />
<br />
'''Warning''': these articles have not been rated for accuracy by OWASP. Product companies should be extremely careful about claiming to "cover" or "ensure compliance" with the OWASP Top 10. The current state-of-the-art for automated detection (scanners and static analysis) and prevention (waf) is nowhere near sufficient to claim adequate coverage of the issues in the Top 10. Nevertheless, using the Top 10 as a simple way to communicate security to end users is effective. <br />
<br />
;[http://blogs.msdn.com/b/sdl/archive/2008/05/01/sdl-and-the-owasp-top-ten.aspx Microsoft] <br />
:as a way to measure the coverage of their SDL and improve security<br />
<br />
;[http://www.nsa.gov/applications/search/index.cfm?q=owasp NSA] <br />
:in their developer guidance on web application security<br />
<br />
;[https://www.pcisecuritystandards.org/index.shtml PCI Council] <br />
:as part of the Payment Card Industry Data Security Standard (PCI DSS)<br />
<br />
;[http://community.citrix.com/display/ocb/2010/06/02/NetScaler+Application+Firewall+and+the+OWASP+Top+10+2010 Citrix] <br />
:in a guide showing how to configure their NetScalar product<br />
<br />
;[http://msdn.microsoft.com/en-us/library/dd129898.aspx Microsoft] <br />
:to show how "T10 threats are handled by the security design and test procedures of Microsoft"<br />
<br />
;[http://www.web2py.com/examples/default/security web2py] <br />
:to demonstrate the security of this Python web framework<br />
<br />
;[http://www.owasp.org/index.php/Commentary_OWASP_Top_Ten_2004_Project Oracle] <br />
:for developer awareness<br />
<br />
;[http://www.theatremanagerhelp.com/book/export/html/1640 TheatreManager] <br />
:to show how their product is secure for web use<br />
<br />
;[http://knol.google.com/k/automated-vulnerabilty-scanners-and-the-owasp-top-10# WhiteHat] <br />
:as a way to explain the coverage of their service<br />
<br />
;[http://www.imperva.com/docs/TB_SecureSphere_OWASP_2010-Top-Ten.pdf Imperva] <br />
:to show the coverage of the SecureSphere tool<br />
<br />
;[http://blog.cenzic.com/public/item/254309 Cenzic] <br />
:to enable "focused scans for compliance testing with the updated PCI standard"<br />
<br />
== Users and Adopters ==<br />
<br />
The U.S. Federal Trade Commission strongly recommends that all companies use the OWASP Top Ten and ensure that their partners do the same. In addition, the U.S. Defense Information Systems Agency (DISA) has listed the OWASP Top Ten as key best practices that should be used as part of the DoD Information Assurance Certification and Accreditation Process ([http://iase.disa.mil/diacap/ DIACAP]). <br />
<br />
In the commercial market, the [http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_PCI_Data_Security_Standard.pdf Payment Card Industry (PCI) standard] has adopted the OWASP Top Ten, and requires (among other things) that all merchants get a security code review for all their custom code. In addition, a broad range of companies and agencies around the globe are also using the OWASP Top Ten, including: <br />
<br />
*A.G. Edwards <br />
*Bank of Newport <br />
*Best Software <br />
*British Telecom <br />
*Bureau of Alcohol, Tobacco, and Firearms (ATF) <br />
*Citibank <br />
*Cboss Internet <br />
*Cognizant <br />
*Contra Costa County, CA <br />
*Corillian Corporation <br />
*Digital Payment Technologies <br />
*Foundstone Strategic Security <br />
*HP <br />
*IBM Global Services <br />
*MorphoTrust USA<br />
*National Australia Bank <br />
*Norfolk Southern <br />
*OneSAS.com <br />
*Online Business Systems <br />
*Predictive Systems <br />
*Price Waterhouse Coopers <br />
*Recreational Equipment, Inc. (REI) <br />
*SSP Solutions <br />
*Samsung SDS (Korea) <br />
*Sempra Energy <br />
*Sprint <br />
*Sun Microsystems <br />
*Swiss Federal Institute of Technology <br />
*Symantec <br />
*Texas Dept of Human Services <br />
*The Hartford <br />
*Zapatec <br />
*ZipForm <br />
*...and many others<br />
<br />
Several schools have also adopted the OWASP Top Ten as a part of their curriculum, including Michigan State University (MSU), and the University of California at San Diego (UCSD). <br />
<br />
Several open source projects have adopted the OWASP Top Ten as part of their security audits, including: <br />
<br />
*[http://plone.org Plone open source CMS project] (managed by the Plone Foundation)<br />
<br />
<br />
= Other uses and resources =<br />
<br />
* [[OWASP_Top_10/Mapping_to_WHID | OWASP Top 10 Mapped to the Web Hacking Incident Database]]<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_Release_Quality_Document]]</div>Mohannad Shahathttps://wiki.owasp.org/index.php?title=Category:OWASP_Top_Ten_Project&diff=156362Category:OWASP Top Ten Project2013-08-02T14:44:19Z<p>Mohannad Shahat: </p>
<hr />
<div>{{OWASP Book|1400974}} <br />
<br />
{{Social Media Links}}<br />
<br />
= OWASP Top 10 for 2013 =<br />
<br />
'''Welcome to the OWASP Top Ten Project''' - if you're looking for the OWASP Top 10 Mobile [[OWASP_Mobile_Security_Project#tab=Top_Ten_Mobile_Risks | Click Here]]<br />
<br />
On June 12, 2013 the OWASP Top 10 for 2013 was officially released. This version was updated based on numerous comments received during the comment period after the release candidate was released in Feb. 2013.<br />
<br />
* [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf OWASP Top 10 2013 document (PDF)].<br />
* [[Top_10_2013 | OWASP Top 10 2013 - Wiki.]]<br />
* [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013%20-%20French.pdf OWASP Top 10 2013 - French (PDF)].<br />
<br />
<br />
The OWASP Top 10 - 2013 is as follows:<br />
<br />
* [[Top_10_2013-A1-Injection | A1 Injection]]<br />
* [[Top_10_2013-A2-Broken_Authentication_and_Session_Management | A2 Broken Authentication and Session Management]]<br />
* [[Top_10_2013-A3-Cross-Site_Scripting_(XSS) | A3 Cross-Site Scripting (XSS)]]<br />
* [[Top_10_2013-A4-Insecure_Direct_Object_References | A4 Insecure Direct Object References]]<br />
* [[Top_10_2013-A5-Security_Misconfiguration | A5 Security Misconfiguration]]<br />
* [[Top_10_2013-A6-Sensitive_Data_Exposure | A6 Sensitive Data Exposure]]<br />
* [[Top_10_2013-A7-Missing_Function_Level_Access_Control | A7 Missing Function Level Access Control]]<br />
* [[Top_10_2013-A8-Cross-Site_Request_Forgery_(CSRF) | A8 Cross-Site Request Forgery (CSRF)]]<br />
* [[Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities | A9 Using Components with Known Vulnerabilities]]<br />
* [[Top_10_2013-A10-Unvalidated_Redirects_and_Forwards | A10 Unvalidated Redirects and Forwards]]<br />
<br />
If you are interested, the methodology for how the Top 10 is produced is now documented here: [[Top_10_2013/ProjectMethodology | OWASP Top 10 Development Methodology]]<br />
<br />
Please help us make sure every developer in the ENTIRE WORLD knows about the OWASP Top 10 by helping to spread the word!!! <br />
<br />
As you help us spread the word, please emphasize: <br />
<br />
*OWASP is reaching out to developers, not just the application security community <br />
*The Top 10 is about managing risk, not just avoiding vulnerabilities <br />
*To manage these risks, organizations need an application risk management program, not just awareness training, app testing, and remediation<br />
<br />
We need to encourage organizations to get off the penetrate and patch mentality. As Jeff Williams said in his 2009 OWASP AppSec DC Keynote: “we’ll never hack our way secure – it’s going to take a culture change” for organizations to properly address application security.<br />
<br />
== Introduction ==<br />
<br />
The OWASP Top Ten provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. Versions of the 2007 and 2010 version were translated into English, French, Spanish, Japanese, Korean and Turkish and other languages. Translation efforts for the 2013 version are underway and they will be posted as they become available. <br />
<br />
We urge all companies to adopt this awareness document within their organization and start the process of ensuring that their web applications do not contain these flaws. Adopting the OWASP Top Ten is perhaps the most effective first step towards changing the software development culture within your organization into one that produces secure code.<br />
<br />
== Changes between 2010 and 2013 Editions ==<br />
<br />
The OWASP Top 10 - 2013 includes the following changes as compared to the 2010 edition:<br />
<br />
* A1 Injection<br />
* A2 Broken Authentication and Session Management (was formerly 2010-A3)<br />
* A3 Cross-Site Scripting (XSS) (was formerly 2010-A2)<br />
* A4 Insecure Direct Object References<br />
* A5 Security Misconfiguration (was formerly 2010-A6)<br />
* A6 Sensitive Data Exposure (2010-A7 Insecure Cryptographic Storage and 2010-A9 Insufficient Transport Layer Protection were merged to form 2013-A6)<br />
* A7 Missing Function Level Access Control (renamed/broadened from 2010-A8 Failure to Restrict URL Access)<br />
* A8 Cross-Site Request Forgery (CSRF) (was formerly 2010-A5)<br />
* A9 Using Components with Known Vulnerabilities (new but was part of 2010-A6 – Security Misconfiguration)<br />
* A10 Unvalidated Redirects and Forwards<br />
<br />
== 2013 Versions ==<br />
<br />
2013 Edition: <br />
<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf OWASP Top 10 2013 - PDF] <br />
*[[Top_10_2013 | OWASP Top 10 2013 - wiki]]<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013%20-%20French.pdf OWASP Top 10 2013 - French (PDF)].<br />
<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013%20-%20RC1.pdf OWASP Top 10 - 2013 - Release Candidate]<br />
<br />
== Feedback ==<br />
<br />
Please let us know how your organization is using the Top Ten. Include your name, organization's name, and brief description of how you use the list. Thanks for supporting OWASP! <br />
<br />
We hope you find the information in the OWASP Top Ten useful. Please contribute back to the project by sending your comments, questions, and suggestions to topten@lists.owasp.org Thanks! <br />
<br />
To join the OWASP Top Ten mailing list or view the archives, please visit the [http://lists.owasp.org/mailman/listinfo/owasp-topten subscription page.] <br />
<br />
== Project Sponsors ==<br />
<br />
The OWASP Top Ten project is sponsored by {{MemberLinks|link=http://www.aspectsecurity.com|logo=Aspect_logo_owasp.jpg}}<br />
<br />
<!-- ==== Project Identification ====<br />
{{Template:OWASP OWASP_Top10 Project}} --><br />
<br />
<br />
= OWASP Top 10 for 2010 =<br />
<br />
On April 19, 2010 the final version of the OWASP Top 10 for 2010 was released, and here is the associated [[OWASPTop10-2010-PressRelease|press release]]. This version was updated based on numerous comments received during the comment period after the release candidate was released in Nov. 2009. <br />
<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 - 2010 Document] <br />
*[[Top 10 2010|OWASP Top 10 - 2010 - wiki]] <br />
*[http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx OWASP Top 10 - 2010 Presentation]<br />
*[http://blip.tv/owasp-appsec-conference-in-europe/day2_track1_1430-1505-3936900 OWASP Top 10 Video of the Presentation above - this focused alot on the Top 10 for 2010 approach, rather than the details. (From OWASP AppSec EU 2010)]<br />
*[http://www.vimeo.com/9006276 OWASP Top 10 Video of this Presentation when the Top 10 for 2010 was 1st released for comment - this goes through each item in the Top 10. (From OWASP AppSec DC 2009)]<br />
<br />
The OWASP Top 10 Web Application Security Risks for 2010 are: <br />
<br />
*[[Top_10_2010-A1|A1: Injection]]<br />
*[[Top_10_2010-A2|A2: Cross-Site Scripting (XSS)]]<br />
*[[Top_10_2010-A3|A3: Broken Authentication and Session Management]]<br />
*[[Top_10_2010-A4|A4: Insecure Direct Object References]]<br />
*[[Top_10_2010-A5|A5: Cross-Site Request Forgery (CSRF)]]<br />
*[[Top_10_2010-A6|A6: Security Misconfiguration]]<br />
*[[Top_10_2010-A7|A7: Insecure Cryptographic Storage]]<br />
*[[Top_10_2010-A8|A8: Failure to Restrict URL Access]]<br />
*[[Top_10_2010-A9|A9: Insufficient Transport Layer Protection]]<br />
*[[Top_10_2010-A10|A10: Unvalidated Redirects and Forwards]]<br />
<br />
== Introduction ==<br />
<br />
The OWASP Top Ten provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. Versions of the 2007 were translated into English, French, Spanish, Japanese, Korean and Turkish and other languages and the 2010 version was translated into even more languages. See below for all the translated versions.<br />
<br />
== 2010 Versions ==<br />
<br />
2010 Edition: <br />
<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 2010 - PDF] <br />
*[[Top 10 2010|OWASP Top 10 2010 - wiki]]<br />
<br />
2010 Translations: <br />
<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20French.pdf OWASP Top 10 2010 - French PDF] <br />
*[https://www.owasp.org/images/b/b8/OWASPTop10_DE_Version_1_0.pdf OWASP Top 10 2010 - German PDF]<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Indonesian.pdf OWASP Top 10 2010 - Indonesian PDF]<br />
*[http://www.owasp.org/images/f/f9/OWASP_Top_10_-_2010_ITA.pdf OWASP Top 10 2010 - Italian PDF]<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Japanese-A4.pdf OWASP Top 10 2010 - Japanese PDF]<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Korean.pdf OWASP Top 10 2010 - Korean PDF]<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Spanish.pdf OWASP Top 10 2010 - Spanish PDF]<br />
*[http://www.owasp.org/images/8/86/OWASP_Top_10_-_2010_FINAL_%28spanish%29.pptx OWASP Top 10 2010 - Spanish PPT]<br />
*[http://www.owasp.org/images/a/a9/OWASP_Top_10_2010_Chinese_V1.0_Released.pdf OWASP Top 10 2010 - Chinese PDF / 这里下载PDF格式文档]<br />
*[http://owasptop10.googlecode.com/files/OWASPTop%2010%20-%202010%20Vietnamese.pdf OWASP Top 10 2010 - Vietnamese PDF]<br />
*[https://www.owasp.org/images/c/cd/OWASP_Top_10_Heb.pdf OWASP Top 10 2010 - Hebrew PDF]<br />
<br />
2010 Release Candidate: <br />
<br />
*[http://www.owasp.org/index.php/File:OWASP_T10_-_2010_rc1.pdf OWASP Top 10 2010 Release Candidate] <br />
*[http://www.owasp.org/images/e/e1/OWASP_Top_10_RC-Public_Comments.docx OWASP Top 10 2010 Release Candidate Comments], except for one set of scanned comments [http://www.owasp.org/images/2/2e/OWASP_T10_-_2010_rc1_cmts_Kai_Jendrian.pdf which are here].<br />
<br />
Previous versions: <br />
<br />
*[http://www.owasp.org/images/e/e8/OWASP_Top_10_2007.pdf OWASP Top 10 2007 - PDF] <br />
*[[Top 10 2007|OWASP Top 10 2007 - wiki]] <br />
*[http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project#tab=Project_Details OWASP Top 10 2007 - PDF Translations are here] <br />
*[[Top 10 2004|OWASP Top 10 2004 - wiki]]<br />
<br />
<br />
= Translation Efforts =<br />
<br />
Efforts are underway in numerous languages to translate the OWASP Top 10 for 2013. If you are interested in helping, please contact the other members of the team for the language you are interested in contributing to, or if you don't see your language listed, please let me know you want to help and we'll form a volunteer group for your language too!!<br />
<br />
Here is the original source document for the [https://www.owasp.org/images/4/4d/OWASP_Top_10_-_2013_Final_-_English.pptx OWASP Top 10 - 2013 which is in PowerPoint]. Please use this document as the basis for your translation efforts.<br />
<br />
Completed Translations:<br />
<br />
*French 2013: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013%20-%20French.pdf OWASP Top 10 2013 - French PDF] Ludovic Petit: Ludovic.Petit@owasp.org, Sébastien Gioria: Sebastien.Gioria@owasp.org, Erwan Abgrall: g4l4drim@gmail.com, Benjamin Avet: benjamin.avet@gmail.com, Jocelyn Aubert: jocelyn.aubert@owasp.org, Damien Azambour: damien.azambourg@owasp.org, Aline Barthelemy: aline.barthelemy@fr.abb.com, Moulay Abdsamad Belghiti: abdsamad.belghiti@gmail.com, Gregory Blanc: gregory.blanc@gmail.com, Clément Capel: clement.capel@sfr.com, Etienne Capgras: Etienne.capgras@solucom.fr, Julien Cayssol: julien@aqwz.com, Antonio Fontes: antonio.fontes@owasp.org, Ely de Travieso: Ely.detravieso@owasp.org, Nicolas Grégoire: nicolas.gregoire@agarri.fr, Valérie Lasserre: valerie.lasserre@gmx.fr, Antoine Laureau: antoine.laureau@owasp.org, Guillaume Lopes: lopes.guillaume@free.fr, Gilles Morain: gilles.morain@gmail.com, Christophe Pekar: christophe.pekar@owasp.org, Olivier Perret: perrets@free.fr, Michel Prunet: michel.prunet@owasp.org, Olivier Revollat: revollat@gmail.com, Aymeric Tabourin: aymeric.tabourin@orange.com<br />
*French 2010: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20French.pdf OWASP Top 10 2010 - French PDF] ludovic.petit@owasp.org, sebastien.gioria@owasp.org, antonio.fontes@owasp.org, benoit.guerette@owasp.org, Jocelyn.aubert@owasp.org, Eric.Garreau@gemalto.com, Guillaume.Huysmans@gemalto.com <br />
*German: [https://www.owasp.org/images/b/b8/OWASPTop10_DE_Version_1_0.pdf OWASP Top 10 - German PDF] top10@owasp.de which is Frank Dölitzscher, Tobias Glemser, Dr. Ingo Hanke, [[User:Kai_Jendrian|Kai Jendrian]], [[User:Ralf_Reinhardt|Ralf Reinhardt]], Michael Schäfer<br />
*Indonesian: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Indonesian.pdf OWASP Top 10 2010 - Indonesian PDF] Tedi Heriyanto (coordinator), Lathifah Arief, Tri A Sundara, Zaki Akhmad<br />
*Italian: [http://www.owasp.org/images/f/f9/OWASP_Top_10_-_2010_ITA.pdf OWASP Top 10 2010 - Italian PDF] Simone Onofri, Paolo Perego, Massimo Biagiotti, Edoardo Viscosi, Salvatore Fiorillo, Roberto Battistoni, Loredana Mancini, Michele Nesta, Paco Schiaffella, Lucilla Mancini, Gerardo Di Giacomo, Valentino Squilloni<br />
*Japanese: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Japanese-A4.pdf OWASP Top 10 2010 - Japanese PDF] cecil.su@owasp.org, Dr. Masayuki Hisada, Yoshimasa Kawamoto, Ryusuke Sakamoto, Keisuke Seki, Shin Umemoto, Takashi Arima<br />
*Korean: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Korean.pdf OWASP Top 10 2010 - Korean PDF] Hyungkeun Park, (mirrk1@gmail.com)<br />
*Spanish: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Spanish.pdf OWASP Top 10 2010 - Spanish PDF] *Daniel Cabezas Molina , Edgar Sanchez, Juan Carlos Calderon, Jose Antonio Guasch, Paulo Coronado, Rodrigo Marcos, Vicente Aguilera<br />
*Chinese: [http://www.owasp.org/images/a/a9/OWASP_Top_10_2010_Chinese_V1.0_Released.pdf OWASP Top 10 2010 - Chinese PDF] 感谢以下为中文版本做出贡献的翻译人员和审核人员: Rip Torn, 钟卫林, 高雯, 王颉, 于振东<br />
*Vietnamese: [http://owasptop10.googlecode.com/files/OWASPTop%2010%20-%202010%20Vietnamese.pdf OWASP Top 10 2010 - Vietnamese PDF] (NEW) Translation lead by Cecil Su - Translation Team: Dang Hoang Vu, Nguyen Ba Tien, Nguyen Tang Hung, Luong Dieu Phuong, Huynh Thien Tam<br />
*Hebrew (New): [[OWASP_Top10_Hebrew|OWASP Top 10 Hebrew]]. Lead by Or Katz, see translation page for list of contributors.<br />
<br />
Volunteer Translation Efforts Underway: <br />
<br />
*Portuguese: carlos.j.serrao@gmail.com; taquiles@gmail.com; wagner.elias@owasp.org; victoreufrasio@gmail.com; leo.cavallari@owasp.org; victoreufrasio@gmail.com; <br />
*Greek: Konstantinos Papapanagiotou (conpap@di.uoa.gr) <br />
*Turkish: bora@abi.com.tr <br />
*Malay: cecil.su@owasp.org <br />
*Czech: petr.zavodsky@owasp-czech-republic.cz<br />
*Dutch: marinus@kuivenhoven.com<br />
*Arabic: Mohannad.Shahat@owasp.org<br />
<br />
= Project Details =<br />
<br />
{{:GPC_Project_Details/OWASP_Top10 | OWASP Project Identification Tab}}<br />
<br />
= How Are Companies-Projects-Vendors Using the OWASP Top 10 =<br />
<br />
Click the links for more details on each use! <br />
<br />
'''Warning''': these articles have not been rated for accuracy by OWASP. Product companies should be extremely careful about claiming to "cover" or "ensure compliance" with the OWASP Top 10. The current state-of-the-art for automated detection (scanners and static analysis) and prevention (waf) is nowhere near sufficient to claim adequate coverage of the issues in the Top 10. Nevertheless, using the Top 10 as a simple way to communicate security to end users is effective. <br />
<br />
;[http://blogs.msdn.com/b/sdl/archive/2008/05/01/sdl-and-the-owasp-top-ten.aspx Microsoft] <br />
:as a way to measure the coverage of their SDL and improve security<br />
<br />
;[http://www.nsa.gov/applications/search/index.cfm?q=owasp NSA] <br />
:in their developer guidance on web application security<br />
<br />
;[https://www.pcisecuritystandards.org/index.shtml PCI Council] <br />
:as part of the Payment Card Industry Data Security Standard (PCI DSS)<br />
<br />
;[http://community.citrix.com/display/ocb/2010/06/02/NetScaler+Application+Firewall+and+the+OWASP+Top+10+2010 Citrix] <br />
:in a guide showing how to configure their NetScalar product<br />
<br />
;[http://msdn.microsoft.com/en-us/library/dd129898.aspx Microsoft] <br />
:to show how "T10 threats are handled by the security design and test procedures of Microsoft"<br />
<br />
;[http://www.web2py.com/examples/default/security web2py] <br />
:to demonstrate the security of this Python web framework<br />
<br />
;[http://www.owasp.org/index.php/Commentary_OWASP_Top_Ten_2004_Project Oracle] <br />
:for developer awareness<br />
<br />
;[http://www.theatremanagerhelp.com/book/export/html/1640 TheatreManager] <br />
:to show how their product is secure for web use<br />
<br />
;[http://knol.google.com/k/automated-vulnerabilty-scanners-and-the-owasp-top-10# WhiteHat] <br />
:as a way to explain the coverage of their service<br />
<br />
;[http://www.imperva.com/docs/TB_SecureSphere_OWASP_2010-Top-Ten.pdf Imperva] <br />
:to show the coverage of the SecureSphere tool<br />
<br />
;[http://blog.cenzic.com/public/item/254309 Cenzic] <br />
:to enable "focused scans for compliance testing with the updated PCI standard"<br />
<br />
== Users and Adopters ==<br />
<br />
The U.S. Federal Trade Commission strongly recommends that all companies use the OWASP Top Ten and ensure that their partners do the same. In addition, the U.S. Defense Information Systems Agency (DISA) has listed the OWASP Top Ten as key best practices that should be used as part of the DoD Information Assurance Certification and Accreditation Process ([http://iase.disa.mil/diacap/ DIACAP]). <br />
<br />
In the commercial market, the [http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_PCI_Data_Security_Standard.pdf Payment Card Industry (PCI) standard] has adopted the OWASP Top Ten, and requires (among other things) that all merchants get a security code review for all their custom code. In addition, a broad range of companies and agencies around the globe are also using the OWASP Top Ten, including: <br />
<br />
*A.G. Edwards <br />
*Bank of Newport <br />
*Best Software <br />
*British Telecom <br />
*Bureau of Alcohol, Tobacco, and Firearms (ATF) <br />
*Citibank <br />
*Cboss Internet <br />
*Cognizant <br />
*Contra Costa County, CA <br />
*Corillian Corporation <br />
*Digital Payment Technologies <br />
*Foundstone Strategic Security <br />
*HP <br />
*IBM Global Services <br />
*MorphoTrust USA<br />
*National Australia Bank <br />
*Norfolk Southern <br />
*OneSAS.com <br />
*Online Business Systems <br />
*Predictive Systems <br />
*Price Waterhouse Coopers <br />
*Recreational Equipment, Inc. (REI) <br />
*SSP Solutions <br />
*Samsung SDS (Korea) <br />
*Sempra Energy <br />
*Sprint <br />
*Sun Microsystems <br />
*Swiss Federal Institute of Technology <br />
*Symantec <br />
*Texas Dept of Human Services <br />
*The Hartford <br />
*Zapatec <br />
*ZipForm <br />
*...and many others<br />
<br />
Several schools have also adopted the OWASP Top Ten as a part of their curriculum, including Michigan State University (MSU), and the University of California at San Diego (UCSD). <br />
<br />
Several open source projects have adopted the OWASP Top Ten as part of their security audits, including: <br />
<br />
*[http://plone.org Plone open source CMS project] (managed by the Plone Foundation)<br />
<br />
<br />
= Other uses and resources =<br />
<br />
* [[OWASP_Top_10/Mapping_to_WHID | OWASP Top 10 Mapped to the Web Hacking Incident Database]]<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_Release_Quality_Document]]</div>Mohannad Shahathttps://wiki.owasp.org/index.php?title=Sharqiyah&diff=130319Sharqiyah2012-05-22T20:38:41Z<p>Mohannad Shahat: </p>
<hr />
<div>{{Chapter Template|chaptername=Sharqiyah المنطقة الشرقية, Saudi Arabia|extra=The chapter leader is [mailto:mohannad.shahat@owasp.org Mohannad Shahat].|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-sharqiyah|emailarchives=http://lists.owasp.org/pipermail/owasp-sharqiyah}}<br />
<br />
== Local News ==<br />
<br />
Everyone is welcome to join us at our chapter meetings.<br />
<br />
Our ''Jalsat'' are informal ones, meaning that you will have to pay for your food and drink. <br />
<br />
== ''Jalsah'' Dates & Locations ==<br />
<br />
'''Jalsah#1'''<br />
<br />
'''Date:''' 24th May 2012, starting at 8:30 PM to 9:30 PM<br />
<br />
'''Agenda:'''<br />
<br />
1- Welcoming to OWASP Sharqiyah ''Jalsah''#1<br />
<br />
2- OWASP?<br />
<br />
3- Discussion: How to Start in Web Application Security?<br />
<br />
3- Closing<br />
<br />
Detailed Agenda document [https://docs.google.com/open?id=0B4eUULYLYNDsLUFOVlJEVkFhRzQ] <br />
<br />
'''Location:'''<br />
<br />
Our first ''Jalsah'' will be @ Al-Liwan Coffee Shop in Khobar opposite to SAAD Hospital.<br />
<googlemap version="0.9" lat="26.30527" lon="50.198545" zoom="18"><br />
26.304529, 50.199103<br />
</googlemap><br />
<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:Saudi Arabia]]</div>Mohannad Shahathttps://wiki.owasp.org/index.php?title=Sharqiyah&diff=129910Sharqiyah2012-05-15T15:35:03Z<p>Mohannad Shahat: </p>
<hr />
<div>{{Chapter Template|chaptername=Sharqiyah المنطقة الشرقية, Saudi Arabia|extra=The chapter leader is [mailto:mohannad.shahat@owasp.org Mohannad Shahat].|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-sharqiyah|emailarchives=http://lists.owasp.org/pipermail/owasp-sharqiyah}}<br />
<br />
== Local News ==<br />
<br />
Everyone is welcome to join us at our chapter meetings.<br />
<br />
Our ''Jalsat'' are informal ones, meaning that you will have to pay for your food and drink. <br />
<br />
== ''Jalsah'' Dates & Locations ==<br />
<br />
'''Jalsah#1'''<br />
<br />
'''Date:''' 24th May 2012, starting at 8:30 PM to 9:30 PM<br />
<br />
'''Agenda:'''<br />
<br />
1- Welcoming to OWASP Sharqiyah ''Jalsah''#1<br />
<br />
2- OWASP?<br />
<br />
3- Discussion: How to Start in Web Application Security?<br />
<br />
3- Closing<br />
<br />
'''Location:'''<br />
<br />
Our first ''Jalsah'' will be @ Al-Liwan Coffee Shop in Khobar opposite to SAAD Hospital.<br />
<googlemap version="0.9" lat="26.30527" lon="50.198545" zoom="18"><br />
26.304529, 50.199103<br />
</googlemap><br />
<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:Saudi Arabia]]</div>Mohannad Shahathttps://wiki.owasp.org/index.php?title=Sharqiyah&diff=128703Sharqiyah2012-04-27T07:57:38Z<p>Mohannad Shahat: </p>
<hr />
<div>{{Chapter Template|chaptername=Sharqiyah المنطقة الشرقية, Saudi Arabia|extra=The chapter leader is [mailto:mohannad.shahat@owasp.org Mohannad Shahat].|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-sharqiyah|emailarchives=http://lists.owasp.org/pipermail/owasp-sharqiyah}}<br />
<br />
== Local News ==<br />
<br />
'''Meeting Location'''<br />
<br />
Everyone is welcome to join us at our chapter meetings.<br />
<br />
The first meeting in the Second Quarter will be in '''May 2012'''. Date and location will be available later.<br />
الإجتماع الأول في الربع الثاني من عام ٢٠١٢ سيكون بإذن الله في شهر '''مايو'''. سيتم الإعلان عن التاريخ بالضبط والمكان لاحقاً.<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:Saudi Arabia]]</div>Mohannad Shahathttps://wiki.owasp.org/index.php?title=Sharqiyah&diff=128702Sharqiyah2012-04-27T07:54:30Z<p>Mohannad Shahat: </p>
<hr />
<div>{{Chapter Template|chaptername=Sharqiyah, Saudi Arabia|extra=The chapter leader is [mailto:mohannad.shahat@owasp.org Mohannad Shahat].|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-sharqiyah|emailarchives=http://lists.owasp.org/pipermail/owasp-sharqiyah}}<br />
<br />
== Local News ==<br />
<br />
'''Meeting Location'''<br />
<br />
Everyone is welcome to join us at our chapter meetings. We will announce when will the meetings be. <br />
<br />
The first meeting in the Second Quarter will be in '''May 2012'''. Date and location will be available later.<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:Saudi Arabia]]</div>Mohannad Shahat