OWASP - User contributions [en]

Top 10 2013-Release Notes

2013-07-05T09:34:42Z

Paul Swift: Removed typo.

{{Top_10_2013:TopTemplate
|usenext=2013NextLink
|next={{Top_10:LanguageFile|text=risk|year=2013|language=en}}
|useprev=2013PrevLink
|prev={{Top_10:LanguageFile|text=introduction|year=2013|language=en}}
|year=2013
|language=en
}}

{{Top_10:SubsectionTableBeginTemplate|type=main}}{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=freetext|position=firstWhole|title={{Top_10:LanguageFile|text=whatChangedFrom2010to2013|year=2013|language=en}}|width=100%|year=2013|language=en}}
The threat landscape for applications security constantly changes. Key factors in this evolution are advances made by attackers, the release of new technologies with new weaknesses as well as more built in defenses, and the deployment of increasingly complex systems. To keep pace, we periodically update the OWASP Top 10. In this 2013 release, we made the following changes:
<ol>
<li>Broken Authentication and Session Management moved up in prevalence based on our data set. Probably because this area is being looked at harder, not because issues are actually more prevalent. This caused Risks A2 and A3 to switch places.</li>
<li>Cross-Site Request Forgery (CSRF) moved down in prevalence based on our data set from 2010-A5 to 2013-A8. We believe this is because CSRF has been in the OWASP Top 10 for 6 years, and organizations and framework developers have focused on it enough to significantly reduce the number of CSRF vulnerabilities in real world applications.</li>
<li>We broadened Failure to Restrict URL Access from the 2010 OWASP Top 10 to be more inclusive:

+     2010-A8: Failure to Restrict URL Access is now 2013-A7: Missing Function Level Access Control – to cover all of function level access control. There are many ways to specify which function is being accessed, not just the URL.</li>
<li>We merged and broadened 2010-A7 & 2010-A9 to CREATE: 2013-A6: Sensitive Data Exposure:

-     This new category was created by merging 2010-A7 – Insecure Cryptographic Storage & 2010-A9 - Insufficient Transport Layer Protection, plus adding browser side sensitive data risks as well. This new category covers sensitive data protection (other than access control which is covered by 2013-A4 and 2013-A7) from the moment sensitive data is provided by the user, sent to and stored within the application, and then sent back to the browser again.</li>
<li>We added: 2013-A9: Using Components with Known Vulnerabilities:

+     This issue was mentioned as part of 2010-A6 – Security Misconfiguration, but now has a category of its own as the growth and depth of component based development has significantly increased the risk of using components with known vulnerabilities.</li>
</ol>
{{Top_10:SubsectionTableEndTemplate}}

<center>
{| style="width: 99%; align:center; text-align:center; border: 2px solid #4d953d; background-color:#F2F2F2; padding=2;"
|- style="background-color: #4d953d; color: #FFFFFF;"
! OWASP Top 10 - 2010 (Previous Version) !! OWASP Top 10 - 2013 (Current Version)
|- style="background-color: #FFFFFF;"
| [[Top_10_2010-A1 | A1-Injection]]
| [[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A1-{{Top_10_2010:ByTheNumbers|1|language=en|year=2013}}|A1-{{Top_10_2010:ByTheNumbers|1|language=en|year=2013}}]]
|- style="background-color: #FFFFFF;"
| [[Top_10_2010-A3 | A3-Broken Authentication and Session Management]]
| [[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A2-{{Top_10_2010:ByTheNumbers|2|language=en|year=2013}}|A2-{{Top_10_2010:ByTheNumbers|2|language=en|year=2013}}]]
|- style="background-color: #FFFFFF;"
| [[Top_10_2010-A2 | A2-Cross Site Scripting (XSS)]]
| [[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A3-{{Top_10_2010:ByTheNumbers|3|language=en|year=2013}}|A3-{{Top_10_2010:ByTheNumbers|3|language=en|year=2013}}]]
|- style="background-color: #FFFFFF;"
| [[Top_10_2010-A4 | A4-Insecure Direct Object Reference]]
| [[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A4-{{Top_10_2010:ByTheNumbers|4|language=en|year=2013}}|A4-{{Top_10_2010:ByTheNumbers|4|language=en|year=2013}}]]
|- style="background-color: #FFFFFF;"
| [[Top_10_2010-A6 | A6-Security Misconfiguration]]
| [[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A5-{{Top_10_2010:ByTheNumbers|5|language=en|year=2013}}|A5-{{Top_10_2010:ByTheNumbers|5|language=en|year=2013}}]]
|- style="background-color: #D7D6C0;"
| [[Top_10_2010-A7 | A7-Insecure Cryptographic Storage - Merged with A9 -->]]
| [[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A6-{{Top_10_2010:ByTheNumbers|6|language=en|year=2013}}|A6-{{Top_10_2010:ByTheNumbers|6|language=en|year=2013}}]]
|- style="background-color: #D7D6C0;"
| [[Top_10_2010-A8 | A8-Failure to Restrict URL Access - Broadened into -->]]
| [[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A7-{{Top_10_2010:ByTheNumbers|7|language=en|year=2013}}|A7-{{Top_10_2010:ByTheNumbers|7|language=en|year=2013}}]]
|- style="background-color: #FFFFFF;"
| [[Top_10_2007-A5 | A5-Cross Site Request Forgery (CSRF)]]
| [[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A8-{{Top_10_2010:ByTheNumbers|8|language=en|year=2013}}|A8-{{Top_10_2010:ByTheNumbers|8|language=en|year=2013}}]]
|- style="background-color: #D7D6C0;"
| [[Top_10_2010-A6 | <buried in A6: Security Misconfiguration>]]
| [[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A9-{{Top_10_2010:ByTheNumbers|9|language=en|year=2013}}|A9-{{Top_10_2010:ByTheNumbers|9|language=en|year=2013}}]]
|- style="background-color: #FFFFFF;"
| [[Top_10_2010-A10 | A10-Unvalidated Redirects and Forwards]]
| [[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A10-{{Top_10_2010:ByTheNumbers|10|language=en|year=2013}}|A10-{{Top_10_2010:ByTheNumbers|10|language=en|year=2013}}]]
|- style="background-color: #E6B9B8;"
| [[Top_10_2010-A9 | A9-Insufficient Transport Layer Protection]]
| Merged with [[Top_10_2010-A7 | 2010-A7]] into [[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A6-{{Top_10_2010:ByTheNumbers|6|language=en|year=2013}}|2013-A6]]
|}
</center>
{{Top_10_2013:BottomTemplate
|usenext=2013NextLink
|useprev=2013PrevLink
|next={{Top_10:LanguageFile|text=risk|year=2013|language=en}}
|useprev=2013PrevLink
|prev={{Top_10:LanguageFile|text=introduction|year=2013|language=en}}
|year=2013
|language=en
}}

Help:Contents

2013-07-05T09:12:06Z

Paul Swift: De-duplicated some text; added missing indefinite article.

This page has some pointers to useful documentation for dealing with OWASP's Wiki.

There is an [https://www.owasp.org/index.php/Help:Editing Editing Help] page (linked to at the bottom of every edit page) that has some useful material. If you are making small changes or only textual (as compared to formatting) then the information on that page should be fine. If you are making larger changes, look for an article that looks like what you want and steal the formatting. Remember, you can edit nearly every page so if, for example, you want to copy some formatting off of the [https://www.owasp.org/index.php/About_The_Open_Web_Application_Security_Project About OWASP] page (something you should probably never edit without great care and discussion), you can still click the edit link and copy the formatting. The Wiki does some page locking so it is generally better to hit the "Cancel" link after you have copied-and-pasted. If you forget, it is not a big deal as there is a timeout on the lock so it will fix itself eventually. For example, the previously mentioned [https://www.owasp.org/index.php/Help:Editing Editing Help] page has about as complex a table as you could want and you can copy the formatting for that table and use it.

Should you be looking for something that is more complicated or you want more extensive documentation to help you out, then the [http://www.wikipedia.org/en Wikipedia's] help pages are your best bet. Both the OWASP Wiki and the Wikipedia are powered by the same Wiki engine, [http://www.mediawiki.org/ MediaWiki].

The following are some jumping off points for the Wikipedia's help pages:
* [http://en.wikipedia.org/wiki/Help:Editing Wikipedia's "Editing Help"]: Similar to OWASP's "Editing Help" page.
* [http://en.wikipedia.org/wiki/Wikipedia:Cheatsheet The Wikipedia Cheatsheet]: A quick reference guide.
* [http://en.wikipedia.org/wiki/Help:A_quick_guide_to_templates A Quick Guide to Templates]: Templates are a macro feature that can be used for everything from reducing typing to giving multiple pages a common look-and-feel. They are not used very much in OWASP's Wiki although I do not know why. While the Wikipedia and OWASP's Wiki share the same Wiki engine, the Wikipedia has added a rather large collection of templates that are not found in OWASP so do not be surprised if some of the documentation about specific templates is incorrect.
* [http://en.wikipedia.org/wiki/Help:Magic_words Magic Words]: At least some of these magic words work (e.g.: the "<nowiki>__TOC__</nowiki>").

Please update this page if you have further updates.

Top 10 2013

2013-07-04T12:44:57Z

Paul Swift: Fixed minor typos.

{{Top_10_2013:TopTemplate
|usenext=2013NextLink
|next={{Top_10:LanguageFile|text=introduction|language=en|year=2013|language=en}}
|useprev=Nothing
|prev=
|year=2013
|language=en
}}

{{Top_10:SubsectionTableBeginTemplate|type=main}}{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=freetext|position=firstLeft|title={{Top_10:LanguageFile|text=foreword}}|year=2013|language=en}}
Insecure software is undermining our financial, healthcare,
defense, energy, and other critical infrastructure. As our
digital infrastructure gets increasingly complex and
interconnected, the difficulty of achieving application
security increases exponentially. We can no longer afford to
tolerate relatively simple security problems like those
presented in this OWASP Top 10.

The goal of the Top 10 project is to raise awareness about
application security by identifying some of the most critical
risks facing organizations. The Top 10 project is referenced
by many standards, books, tools, and organizations, including
MITRE, PCI DSS, DISA, FTC, and [[Industry:Citations|many more]]. This release of
the OWASP Top 10 marks this project’s tenth anniversary of
raising awareness of the importance of application security
risks. The OWASP Top 10 was first released in 2003, with
minor updates in 2004 and 2007. The 2010 version was
revamped to prioritize by risk, not just prevalence. This 2013
edition follows the same approach.

We encourage you to use the Top 10 to get your organization
started with application security. Developers can learn from
the mistakes of other organizations. Executives should start
thinking about how to manage the risk that software
applications create in their enterprise.

In the long term, we encourage you to create an application
security program that is compatible with your culture and
technology. These programs come in all shapes and sizes,
and you should avoid attempting to do everything prescribed
by some process model. Instead, leverage your
organization’s existing strengths to do and measure what
works for you.

We hope that the OWASP Top 10 is useful to your application
security efforts. Please don’t hesitate to contact OWASP with
your questions, comments, and ideas, either publicly to
[mailto:owasp-topten@lists.owasp.org owasp-topten@lists.owasp.org] or privately to [mailto:dave.wichers@owasp.org dave.wichers@owasp.org].

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=freetext|position=right|title={{Top_10:LanguageFile|text=aboutOWASP}}|year=2013|language=en}}

The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. At OWASP you’ll find free and open …

* Application security tools and standards
* Complete books on application security testing, secure code development, and secure code review
* Standard security controls and libraries
* [https://www.owasp.org/index.php/Category:OWASP_Chapter Local chapters worldwide]
* Cutting edge research
* [https://www.owasp.org/index.php/Category:OWASP_AppSec_Conference Extensive conferences worldwide]
* Mailing lists

Learn more at: [https://www.owasp.org/ https://www.owasp.org]

All of the OWASP tools, documents, forums, and chapters are
free and open to anyone interested in improving application
security. We advocate approaching application security as a
people, process, and technology problem, because the most
effective approaches to application security require
improvements in all of these areas.

OWASP is a new kind of organization. Our freedom from
commercial pressures allows us to provide unbiased, practical,
cost-effective information about application security. OWASP
is not affiliated with any technology company, although we
support the informed use of commercial security technology.
Similar to many open source software projects, OWASP
produces many types of materials in a collaborative, open way.

The OWASP Foundation is the non-profit entity that ensures
the project’s long-term success. Almost everyone associated
with OWASP is a volunteer, including the OWASP Board,
Global Committees, Chapter Leaders, Project Leaders, and
project members. We support innovative security research
with grants and infrastructure.

Come join us!
</td></tr></table>
{{Top_10_2013:BottomTemplate
|usenext=2013NextLink
|next={{Top_10:LanguageFile|text=introduction|language=en|year=2013|language=en}}
|useprev=Nothing
|prev=
|year=2013
|language=en
}}
[[Category:OWASP Top Ten Project]]