Top 10 2013-RN - Revision history

Neil Smithline: Redirected page to Top 10 2013-Release Notes

2013-02-22T04:21:57Z

Redirected page to Top 10 2013-Release Notes

Neil Smithline at 04:14, 22 February 2013

2013-02-22T04:14:44Z

Neil Smithline at 02:24, 22 February 2013

2013-02-22T02:24:13Z

Neil Smithline: Created page with "9t"

2013-02-22T01:12:08Z

Created page with "9t"

New page

← Older revision		Revision as of 04:21, 22 February 2013
Line 1:		Line 1:
−	~~{{Top_10_2013:TopTemplate~~	+	#REDIRECT [[Top 10 2013-Release Notes]]
−	~~\|usenext=2013NextLink~~
−	~~\|next=Risk~~
−	~~\|useprev=2013PrevLink~~
−	~~\|prev=Introduction~~
−	}}
−
−	~~{{Top_10_2010:SubsectionAdvancedTemplate\|type={{Top_10_2010:StyleTemplate}}\|title=What Changed From 2010 to 2013?\|number=whole\|width=100%\|year=2013}}~~
−	The threat landscape for applications security constantly changes. Key factors in this evolution are advances made by attackers, the release of new technologies with new weaknesses as well as more built in defenses, and the deployment of increasingly complex systems. To keep pace, we periodically update the OWASP Top 10~~. In this 2013 release, we made the following changes:~~
−	~~<ol>~~
−	<li>Broken Authentication and Session Management moved up in prevalence based on our data set,. Probably because this area is being looked at harder, not because issues are actually more prevalent. This caused Risks A2 and A3 to switch places.</li>
−	~~<li>Cross-Site Request Forgery (CSRF) moved down in prevalence based on our data set from 2010-A5 to~~ 2013-A8. We believe this is because CSRF has been in the OWASP Top 10 for 6 years, and organizations and framework developers have focused on it enough to significantly reduce the number of CSRF vulnerabilities in real world applications.</li>
−	~~<li>We broadened Failure to Restrict URL Access from the 2010 OWASP Top 10 to be more inclusive:~~
−	~~<p style="padding-left: 2em; text-indent: -2em;">~~
−	+     2010-A8: Failure to Restrict URL Access is now 2013-A7: Missing Function Level Access Control – to cover all of function level access control. There are many ways to specify which function is being accessed, not just the URL.</p></li>
−	~~<li>We merged and broadened 2010-A7 & 2010-A9 to CREATE: 2013-A6: Sensitive Data Exposure:~~
−	~~<p style="padding-left: 2em; text-indent: -2em;">~~
−	-     This new category was created by merging 2010-A7 – Insecure Cryptographic Storage & 2010-A9 - Insufficient Transport Layer Protection, plus adding browser side sensitive data risks as well. This new category covers sensitive data protection (other than access control which is covered by 2013-A4 and 2013-A7) from the moment sensitive data is provided by the user, sent to and stored within the application, and then sent back to the browser again.</p></li>
−	~~<li>We added: 2013-A9: Using Known Vulnerable Components:~~
−	~~<p style="padding-left: 2em; text-indent: -2em;">~~
−	+     This issue was mentioned as part of 2010-A6 – Security Misconfiguration, but now deserves a category in its own right as the growth and depth of component based development has significantly increased the risk of using known vulnerable components.</p></li>
−	~~</ol>~~
−	~~</td></tr/></table>~~
−
−	~~{{Top_10_2010:SubsectionAdvancedTemplate\|type={{Top_10_2010:StyleTemplate}}\|title=What's My Risk?\|number=left\|width=70%\|year=2013}}~~
−	The names of the risks in the Top 10 stem from the type of attack, the type of weakness, or the type of impact they cause. We chose the name that is best known and will achieve the highest level of awareness.
−	~~{{Top_10_2010:SubsectionAdvancedTemplate\|type={{Top_10_2010:StyleTemplate}}\|title=References\|number=right\|year=2013}}~~
−
−	~~OWASP~~
−	~~OWASP Risk Rating Methodology~~
−	~~Article on Threat/Risk Modeling~~
−
−
−	~~External~~
−	~~FAIR Information Risk Framework~~
−	~~Microsoft Threat Modeling (STRIDE and DREAD)~~
−
−
−	~~{{Top_10_2013:BottomAdvancedTemplate~~
−	~~\|type=box~~
−	~~\|usenext=2013NextLink~~
−	~~\|next=Risk~~
−	~~10\|useprev=2013PrevLink~~
−	~~\|prev=Introduction~~
−	}}

@@ Line 12: / Line 12: @@
 <li>Cross-Site Request Forgery (CSRF) moved down in prevalence based on our data set from 2010-A5 to 2013-A8. We believe this is because CSRF has been in the OWASP Top 10 for 6 years, and organizations and framework developers have focused on it enough to significantly reduce the number of CSRF vulnerabilities in real world applications.</li>
 <li>We broadened Failure to Restrict URL Access from the 2010 OWASP Top 10 to be more inclusive:
--A8: Failure to Restrict URL Access is now 2013-A7: Missing Function Level Access Control – to cover all of function level access control. There are many ways to specify which function is being accessed, not just the URL.</li>
+<p style="padding-left: 2em; text-indent: -2em;">
 <li>We merged and broadened 2010-A7 & 2010-A9 to CREATE: 2013-A6: Sensitive Data Exposure:
-This new category was created by merging 2010-A7 – Insecure Cryptographic Storage  & 2010-A9 - Insufficient Transport Layer Protection, plus adding browser side sensitive data risks as well. This new category covers sensitive data protection (other than access control which is covered by 2013-A4 and 2013-A7) from the moment sensitive data is provided by the user, sent to and stored within the application, and then sent back to the browser again.</li>
+<p style="padding-left: 2em; text-indent: -2em;">
 <li>We added: 2013-A9: Using Known Vulnerable Components:
-This issue was mentioned as part of 2010-A6 – Security Misconfiguration, but now deserves a category in its own right as the growth and depth of component based development has significantly increased the risk of using known vulnerable components.</li>
+<p style="padding-left: 2em; text-indent: -2em;">
 </ol>
 </td></tr/></table>

← Older revision		Revision as of 02:24, 22 February 2013
Line 1:		Line 1:
−	9t	+	{{Top_10_2013:TopTemplate
		+	\|usenext=2013NextLink
		+	\|next=Risk
		+	\|useprev=2013PrevLink
		+	\|prev=Introduction
		+	}}
		+
		+	{{Top_10_2010:SubsectionAdvancedTemplate\|type={{Top_10_2010:StyleTemplate}}\|title=What Changed From 2010 to 2013?\|number=whole\|width=100%\|year=2013}}
		+	The threat landscape for applications security constantly changes. Key factors in this evolution are advances made by attackers, the release of new technologies with new weaknesses as well as more built in defenses, and the deployment of increasingly complex systems. To keep pace, we periodically update the OWASP Top 10. In this 2013 release, we made the following changes:
		+	<ol>
		+	<li>Broken Authentication and Session Management moved up in prevalence based on our data set,. Probably because this area is being looked at harder, not because issues are actually more prevalent. This caused Risks A2 and A3 to switch places.</li>
		+	<li>Cross-Site Request Forgery (CSRF) moved down in prevalence based on our data set from 2010-A5 to 2013-A8. We believe this is because CSRF has been in the OWASP Top 10 for 6 years, and organizations and framework developers have focused on it enough to significantly reduce the number of CSRF vulnerabilities in real world applications.</li>
		+	<li>We broadened Failure to Restrict URL Access from the 2010 OWASP Top 10 to be more inclusive:
		+	2010-A8: Failure to Restrict URL Access is now 2013-A7: Missing Function Level Access Control – to cover all of function level access control. There are many ways to specify which function is being accessed, not just the URL.</li>
		+	<li>We merged and broadened 2010-A7 & 2010-A9 to CREATE: 2013-A6: Sensitive Data Exposure:
		+	This new category was created by merging 2010-A7 – Insecure Cryptographic Storage & 2010-A9 - Insufficient Transport Layer Protection, plus adding browser side sensitive data risks as well. This new category covers sensitive data protection (other than access control which is covered by 2013-A4 and 2013-A7) from the moment sensitive data is provided by the user, sent to and stored within the application, and then sent back to the browser again.</li>
		+	<li>We added: 2013-A9: Using Known Vulnerable Components:
		+	This issue was mentioned as part of 2010-A6 – Security Misconfiguration, but now deserves a category in its own right as the growth and depth of component based development has significantly increased the risk of using known vulnerable components.</li>
		+	</ol>
		+	</td></tr/></table>
		+
		+	{{Top_10_2010:SubsectionAdvancedTemplate\|type={{Top_10_2010:StyleTemplate}}\|title=What's My Risk?\|number=left\|width=70%\|year=2013}}
		+	The names of the risks in the Top 10 stem from the type of attack, the type of weakness, or the type of impact they cause. We chose the name that is best known and will achieve the highest level of awareness.
		+	{{Top_10_2010:SubsectionAdvancedTemplate\|type={{Top_10_2010:StyleTemplate}}\|title=References\|number=right\|year=2013}}
		+
		+	OWASP
		+	OWASP Risk Rating Methodology
		+	Article on Threat/Risk Modeling
		+
		+
		+	External
		+	FAIR Information Risk Framework
		+	Microsoft Threat Modeling (STRIDE and DREAD)
		+
		+
		+	{{Top_10_2013:BottomAdvancedTemplate
		+	\|type=box
		+	\|usenext=2013NextLink
		+	\|next=Risk
		+	10\|useprev=2013PrevLink
		+	\|prev=Introduction
		+	}}