This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Top 10-2017 Foreword"

From OWASP
Jump to: navigation, search
m (T.Gigler moved page Top 10 2017 to Top 10-2017: Prepare OWASP Top 10-2017 Release)
m (Editorial changes, added a Link to SAMM)
 
(4 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
{{Top_10_2013:TopTemplate
 
{{Top_10_2013:TopTemplate
  |usenext=2013NextLink
+
    |useprev=2017PrevLink
  |next={{Top_10:LanguageFile|text=introduction|year=2017|language=en}}
+
    |prev={{Top_10:LanguageFile|text=tableOfContents|year=2017|language=en}}
  |useprev=2013PrevLink
+
    |usenext=2017NextLink
  |prev={{Top_10:LanguageFile|text=tableOfContents|year=2017language=en}}
+
    |next={{Top_10:LanguageFile|text=introduction|year=2017|language=en}}
  |year=2017
+
    |year=2017
  |language=en
+
    |language=en
 
}}
 
}}
 +
<!--- Foreword --->
 +
{{Top_10:SubsectionTableBeginTemplate|type=main}}{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=freetext|position=firstWhole|title=Foreword|year=2017|language=en}}
 +
Insecure software is undermining our financial, healthcare, defense, energy, and other critical infrastructure. As our software becomes increasingly complex, and connected, the difficulty of achieving application security increases exponentially. The rapid pace of modern software development processes makes the most common risks essential to discover and resolve quickly and accurately. We can no longer afford to tolerate relatively simple security problems like those presented in this OWASP Top 10.
  
{{Top_10:SubsectionTableBeginTemplate|type=main}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=freetext|position=firstWhole|title=Request for Comments|width=100%|year=2017|language=en}}
+
A great deal of feedback was received during the creation of the OWASP Top 10 - 2017, more than for any other equivalent OWASP effort. This shows how much passion the community has for the OWASP Top 10, and thus how critical it is for OWASP to get the Top 10 right for the majority of use cases.
  
OWASP plans to release the final public release of the OWASP Top 10 - 2017 in July or August 2017 after a
+
Although the original goal of the OWASP Top 10 project was simply to raise awareness amongst developers and managers, it has become <i>the</i> de facto application security standard. 
public comment period ending June 30, 2017.
 
  
This release of the OWASP Top 10 marks this project’s fourteenth year of raising awareness of the
+
In this release, issues and recommendations are written concisely and in a testable way to assist with the adoption of the OWASP Top 10 in application security programs. We encourage large and high performing organizations to use the <u>[[ASVS|OWASP Application Security Verification Standard (ASVS)]]</u> if a true standard is required, but for most, the OWASP Top 10 is a great start on the application security journey.
importance of application security risks. This release follows the 2013 update, whose main change was
 
the addition of 2013-A9 Use of Known Vulnerable Components. We are pleased to see that since the 2013
 
Top 10 release, a whole ecosystem of both free and commercial tools have emerged to help combat this
 
problem as the use of open source components has continued to rapidly expand across practically every
 
programming language. The data also suggests the use of known vulnerable components is still prevalent,
 
but not as widespread as before. We believe the awareness of this issue the Top 10 - 2013 generated has
 
contributed to both of these changes.
 
  
We also noticed that since CSRF was introduced to the Top 10 in 2007, it has dropped from a widespread
+
We have written up a range of suggested next steps for different users of the OWASP Top 10, including <b><u>[[{{Top_10:LanguageFile|text=documentRootTop10New|language=en|year=2017 }}_{{Top_10:LanguageFile|text=whatsNextforDevelopers|language=en}}|{{Top_10:LanguageFile|text=whatsNextforDevelopers|language=en}}]]</u></b>, <b><u>[[{{Top_10:LanguageFile|text=documentRootTop10New|language=en|year=2017 }}_{{Top_10:LanguageFile|text=whatsNextforSecurityTesters|language=en}}|{{Top_10:LanguageFile|text=whatsNextforSecurityTesters|language=en}}]]</u></b>, <b><u>[[{{Top_10:LanguageFile|text=documentRootTop10New|language=en|year=2017 }}_{{Top_10:LanguageFile|text=whatsNextforOrganizations|language=en}}|{{Top_10:LanguageFile|text=whatsNextforOrganizations|language=en}}]]</u></b>, which is suitable for CIOs and CISOs, and <b><u>[[{{Top_10:LanguageFile|text=documentRootTop10New|language=en|year=2017 }}_{{Top_10:LanguageFile|text=whatsNextforApplicationManagers|language=en}}|{{Top_10:LanguageFile|text=whatsNextforApplicationManagers|language=en}}]]</u></b>, which is suitable for application managers or anyone responsible for the lifecycle of the application.
vulnerability to an uncommon one. Many frameworks include automatic CSRF defenses which has
 
significantly contributed to its decline in prevalence, along with much higher awareness with developers
 
that they must protect against such attacks.
 
  
Constructive comments on this OWASP Top 10 - 2017 Release Candidate should be forwarded via email to
+
In the long term, we encourage all software development teams and organizations to create an application security program that is compatible with your culture and technology. These programs come in all shapes and sizes. Leverage your organization's existing strengths to measure and improve your application security program using the <u>[[OWASP_SAMM_Project|Software Assurance Maturity Model]]</u>.
<u>[mailto:OWASP-TopTen@lists.owasp.org [email protected]]</u>. Private comments may be sent to <u>[mailto:[email protected] [email protected]]</u>.
 
Anonymous comments are welcome. All non-private comments will be catalogued and published at the
 
same time as the final public release. Comments recommending changes to the items listed in the Top 10
 
should include a complete suggested list of 10 items, along with a rationale for any changes. All comments
 
should indicate the specific relevant page and section.
 
  
Following the final publication of the OWASP Top 10 - 2017, the collaborative work of the OWASP
+
We hope that the OWASP Top 10 is useful to your application security efforts. Please don't hesitate to contact OWASP with your questions, comments, and ideas at our GitHub project repository:
community will continue with updates to supporting documents including the OWASP wiki, OWASP
+
* <u>[https://github.com/OWASP/Top10/issues https://github.com/OWASP/Top10/issues]</u>
Developer’s Guide, OWASP Testing Guide, OWASP Code Review Guide, and the OWASP Prevention Cheat
+
You can find the OWASP Top 10 project and translations here:
Sheets, along with translations of the Top 10 to many different languages.
+
* <u>[[top10|https://www.owasp.org/index.php/top10]]</u>
 +
Lastly, we wish to thank the founding leadership of the OWASP Top 10 project, Dave Wichers and Jeff Williams, for all their efforts, and believing in us to get this finished with the community's help. Thank you!
 +
* Andrew van der Stock
 +
* Brian Glas
 +
* Neil Smithline
 +
* Torsten Gigler
  
Your feedback is critical to the continued success of the OWASP Top 10 and all other OWASP Projects.
+
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=freetext|position=whole|title=Project Sponsorship|year=2017|language=en}}
Thank you all for your dedication to improving the security of the world’s software for everyone.
+
Thanks to <u>[https://www.autodesk.com Autodesk]</u> for sponsoring the OWASP Top 10 - 2017.
  
<div style="text-align: right; direction: ltr; margin-left: 1em;">Jeff Williams, OWASP Top 10 Project Creator and Coauthor</div>
+
Organizations and individuals that have provided vulnerability prevalence data or other assistance are listed on the <b><u>[[{{Top_10:LanguageFile|text=documentRootTop10New|language=en|year=2017 }}_{{Top_10:LanguageFile|text=acknowledgements|language=en}}|{{Top_10:LanguageFile|text=acknowledgements|language=en}}]]</u></b> page.
<div style="text-align: right; direction: ltr; margin-left: 1em;">Dave Wichers, OWASP Top 10 Coauthor and Project Lead</div>
 
  
{{Top_10:SubsectionTableEndTemplate}}
+
{{Top_10_2013:BottomAdvancedTemplate
 
+
    |type=box
 
+
    |useprev=2017PrevLink
{{Top_10:SubsectionTableBeginTemplate|type=main}}{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=freetext|position=firstLeft|title={{Top_10:LanguageFile|text=foreword}}|year=2017|language=en}}Insecure software is undermining our financial, healthcare, defense, energy, and other critical infrastructure. As our software becomes increasingly critical, complex, and connected, the difficulty of achieving application security increases exponentially. The rapid pace of modern software development processes makes risks even more critical to discover quickly and accurately. We can no longer afford to tolerate relatively simple security problems like those presented in this OWASP Top 10. 
+
    |prev={{Top_10:LanguageFile|text=tableOfContents|year=2017|language=en}}
 
+
    |usenext=2017NextLink
The goal of the Top 10 project is to raise awareness about application security by identifying some of the most critical risks facing organizations. The Top 10 project is referenced by many standards, books, tools, and organizations, including MITRE, PCI DSS, DISA, FTC, and <u>[[Industry:Citations|many more]]</u>. The OWASP Top 10 was first released in 2003, with minor updates in 2004 and 2007. The 2010 version was revamped to prioritize by risk, not just prevalence, and this pattern was continued in 2013 and this latest 2017 release. 
+
    |next={{Top_10:LanguageFile|text=introduction|year=2017|language=en}}
 
+
    |year=2017
We encourage you to use the Top 10 to get your organization <u>started</u> with application security. Developers can learn from the mistakes of other organizations. Executives should start thinking about how to manage the risk that software applications and APIs create in their enterprise. 
+
    |language=en
 
 
In the long term, we encourage you to create an application security program that is compatible with your culture and technology. These programs come in all shapes and sizes, and you should avoid attempting to do everything prescribed in some process model. Instead, leverage your organization’s existing strengths to do and measure what works for you. 
 
 
 
We hope that the OWASP Top 10 is useful to your application security efforts. Please don’t hesitate to contact OWASP with your questions, comments, and ideas, either publicly to <u>[mailto:[email protected]  [email protected]]</u> or privately to <u>[mailto:[email protected] [email protected]]</u>. {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=freetext|position=right|title={{Top_10:LanguageFile|text=aboutOWASP}}|year=2017|language=en}}
 
 
 
The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted.  At OWASP you’ll find free and open …
 
 
 
* Application security tools and standards
 
* Complete books on application security testing, secure code development, and secure code review
 
* Standard security controls and libraries
 
* <u>[[:Category:OWASP_Chapter| Local chapters worldwide]]</u>
 
* Cutting edge research
 
* <u>[[:Category:OWASP_AppSec_Conference| Extensive conferences worldwide]]</u>
 
* <u>[https://lists.owasp.org/mailman/listinfo Mailing lists]</u>
 
* The latest copy and translations of this OWASP Top 10<br>([<u>[[:Category:OWASP_Top_Ten_Project|https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project]]</u>)
 
 
 
Learn more at: <u>[https://www.owasp.org/  https://www.owasp.org]</u>
 
 
 
 
 
All of the OWASP tools, documents, forums, and chapters are
 
free and open to anyone interested in improving application
 
security. We advocate approaching application security as a
 
people, process, and technology problem, because the most
 
effective approaches to application security require
 
improvements in all of these areas.
 
 
 
OWASP is a new kind of organization. Our freedom from
 
commercial pressures allows us to provide unbiased, practical,
 
cost-effective information about application security. OWASP
 
is not affiliated with any technology company, although we
 
support the informed use of commercial security technology.
 
Similar to many open source software projects, OWASP
 
produces many types of materials in a collaborative, open way.
 
 
 
The OWASP Foundation is the non-profit entity that ensures
 
the project’s long-term success. Almost everyone associated
 
with OWASP is a volunteer, including the OWASP Board,
 
Global Committees, Chapter Leaders, Project Leaders, and
 
project members. We support innovative security research
 
with grants and infrastructure.
 
 
 
 
 
Come join us!
 
</td></tr></table>
 
{{Top_10_2013:BottomTemplate
 
  |usenext=2013NextLink
 
  |next={{Top_10:LanguageFile|text=introduction|year=2017|language=en}}
 
  |useprev=2013PrevLink
 
  |prev={{Top_10:LanguageFile|text=tableOfContents|year=2017language=en}}
 
  |year=2017
 
  |language=en
 
 
}}
 
}}
  
 
<!-- [[Category:OWASP Top Ten Project]] -->
 
<!-- [[Category:OWASP Top Ten Project]] -->

Latest revision as of 22:40, 19 December 2017

← Table of Contents
2017 Table of Contents

PDF version

Introduction →
Foreword

Insecure software is undermining our financial, healthcare, defense, energy, and other critical infrastructure. As our software becomes increasingly complex, and connected, the difficulty of achieving application security increases exponentially. The rapid pace of modern software development processes makes the most common risks essential to discover and resolve quickly and accurately. We can no longer afford to tolerate relatively simple security problems like those presented in this OWASP Top 10.

A great deal of feedback was received during the creation of the OWASP Top 10 - 2017, more than for any other equivalent OWASP effort. This shows how much passion the community has for the OWASP Top 10, and thus how critical it is for OWASP to get the Top 10 right for the majority of use cases.

Although the original goal of the OWASP Top 10 project was simply to raise awareness amongst developers and managers, it has become the de facto application security standard. 

In this release, issues and recommendations are written concisely and in a testable way to assist with the adoption of the OWASP Top 10 in application security programs. We encourage large and high performing organizations to use the OWASP Application Security Verification Standard (ASVS) if a true standard is required, but for most, the OWASP Top 10 is a great start on the application security journey.

We have written up a range of suggested next steps for different users of the OWASP Top 10, including What's Next for Developers, What's Next for Security Testers, What's Next for Organizations, which is suitable for CIOs and CISOs, and What's Next for Application Managers, which is suitable for application managers or anyone responsible for the lifecycle of the application.

In the long term, we encourage all software development teams and organizations to create an application security program that is compatible with your culture and technology. These programs come in all shapes and sizes. Leverage your organization's existing strengths to measure and improve your application security program using the Software Assurance Maturity Model.

We hope that the OWASP Top 10 is useful to your application security efforts. Please don't hesitate to contact OWASP with your questions, comments, and ideas at our GitHub project repository:

You can find the OWASP Top 10 project and translations here:

Lastly, we wish to thank the founding leadership of the OWASP Top 10 project, Dave Wichers and Jeff Williams, for all their efforts, and believing in us to get this finished with the community's help. Thank you!

  • Andrew van der Stock
  • Brian Glas
  • Neil Smithline
  • Torsten Gigler
Project Sponsorship

Thanks to Autodesk for sponsoring the OWASP Top 10 - 2017.

Organizations and individuals that have provided vulnerability prevalence data or other assistance are listed on the Acknowledgements page.

← Table of Contents
2017 Table of Contents

PDF version

Introduction →

© 2002-2017 OWASP Foundation This document is licensed under the Creative Commons Attribution-ShareAlike 3.0 license. Some rights reserved. CC-by-sa-3 0-88x31.png