Commentary OWASP Top Ten 2004 Project

J. Howard Beales, III

• Director of the Federal Trade Commission's Bureau of Consumer Protection
• Before the Information Technology Association of America's Internet Policy Committee, Friday, December 12, 2003

"With new vulnerabilities announced almost weekly, many businesses may feel overwhelmed trying to keep current. But there is help in the form of consensus lists of vulnerabilities and defenses. The Open Web Application Security Project has produced a similar list of the 10 most critical Web application and databases security vulnerabilities and the most effective ways to address them. Application vulnerabilities are often neglected, but they are as important to deal with as network issues. If every company eliminated these common vulnerabilities, their work wouldn't be done, but they, and the Internet, would be significantly safer."

Eugene H. Spafford

• Professor of Computer Sciences, Purdue University
• Executive Director of the Purdue University Center for Education and Research in Information Assurance and Security (CERIAS)

"Misconfiguration, inattention, and flawed software can spell disaster on the Internet. One of the primary areas of vulnerability is through WWW connections. By design, WWW services are intended to be open and accepting, and usually act as an interface to valuable resources. As such, it is critical that these services be secured. But with hundreds of potential vulnerabilities it can be overly daunting to decide where to start applying defensive measures. The OWASP Top 10 provides a consensus view of the most significant and likely vulnerabilities in custom WWW applications. Organizations should use it to focus their efforts, giving them confidence they are addressing those areas that will have the most impact on securing their applications."

Dr. Peter G. Neumann

• Principal Scientist, SRI International Computer Science Lab
• Moderator of the ACM Risks Forum, Author of "Computer-Related Risks"

"This ‘Ten-Most-Wanting’ List acutely scratches at the tip of an enormous iceberg. The underlying reality is shameful: most system and Web application software is written oblivious to security principles, software engineering, operational implications, and indeed common sense."

Steven M. Christey

• Principal Information Security Engineer and CVE Editor, Mitre

"This list is an important development for consumers and vendors alike. It will educate vendors to avoid the same mistakes that have been repeated countless times in other web applications. But it also gives consumers a way of asking vendors to follow a minimum set of expectations for web application security and, just as importantly, to identify which vendors are not living up to those expectations"

Jeffrey R. Williams

• Aspect Security CEO
• OWASP Top Ten Project Leader

"The OWASP Top Ten shines a spotlight directly on one of the most serious and often overlooked risks facing government and commercial organizations. The root cause of these risks is not flawed software, but software development processes that pay little or no attention to security. The most effective first step towards creating a security-aware culture in your organization is immediately adopting the Top Ten as a minimum standard for web application security."

Mark Curphey

• Founder of OWASP
• Director of Application Security Consulting, Foundstone Strategic Security.

"There is no silver bullet for web security despite what some technology companies would have you believe. Solving this complex and challenging problem is about having great people, great knowledge, great education, great business process and using great technology. The OWASP Top Ten creates a palatable well ordered and well thought out list from where you can start to understand your security posture (or that of your service providers) and plan the use of your valuable resources accordingly."

Dr. Charles P. Pfleeger

• CISSP
• Master Security Architect, Cable & Wireless
• Author of "Security in Computing"

"From web pages to back office number crunching, almost all organizations acquire applications code, many people write it, and everybody uses it. But flaws continue to be found in applications, even after nearly fifty years of programming experience. Worse, the same kinds of flaws appear over and over again. This failure to learn from not only our mistakes but also those of our parents’ generation creates far too many vulnerabilities for potential attack. It is no wonder that attacks against applications are on the rise. In compiling this list of the ten most critical applications code flaws, the OWASP has performed a real service to developers and users alike by focusing attention on common weaknesses and what can be done about them. Now it is up to software development organizations, programmers, and users to apply the thoughtful guidance presented here."

Robert A. Parisi, Jr.

• Senior VP and Chief Underwriting Officer, AIG eBusiness Risk Solutions

"The new ROI is security. Companies must be able to provide trusted web applications and web services to their trading partners; who are requiring both secure technology and traditional indicia of financial security, such as insurance. It doesn't stop there though; bad security places a companies' data and applications at risk and hence its viability as a commercial entity. Disappointing your customers is one thing, trying to come back from the loss or corruption of your own systems is quite another."

Chris Wysopal

• Director of Research & Development, @stake, Inc.

"Web developers need to know that the degree to which business applications and customer data are protected from the hostile Internet is directly determined by how securely they've written their code. The OWASP Top Ten list is a great way to understand how to code defensively and avoid the security pitfalls that plague Web applications."

Lisa Gallagher

• Senior VP, Information and Technology Accreditation, URAC

"The healthcare industry has a critical need to provide secure web applications that protect users' privacy. The OWASP Top Ten will help healthcare organizations evaluate the security of web application products and solutions. Any healthcare organizations using applications that contain these flaws may have difficulty complying with the HIPAA regulations."

Stuart McClure

• President and CTO of Foundstone Inc.

"As more and more companies turn to offshore outsourcing for Web application development, secure coding enforcement must jump to the top of the executive priority list. The OWASP Top Ten Project accurately articulates the top application vulnerabilities, providing C-level executives a goldmine of information useful in setting security policy guidelines for Web applications."

John Heimann

• Director of Security at Oracle Corp.

"Application security considerations are often treated as the domain of specialists, to be applied after coding is done and all other business requirements are satisfied. At Oracle we have found that the task of securing applications is most likely to succeed if security is built in from the start. Developers must have a basic understanding of security vulnerabilities and how to avoid them, and release managers must explicitly check that security requirements have been satisfied before product can ship. The OWASP Top Ten List is an excellent starting point for companies to build security awareness among their developers, and to prepare security criteria for application deployment."

John Viega

• Chief Scientist, Secure Software Inc.
• Co-author of "Building Secure Software"

"Many people have seen top ten lists detailing the "biggest network security risks". Those lists only point out flaws in third party software that you may or may not be running on your network. Applying the information in this list will keep the software you develop off those other lists!"