This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Germany/Projekte/Top 10 fuer Entwickler-2013/Neuerungen

From OWASP
Revision as of 12:47, 17 July 2013 by T.Gigler (talk | contribs) (Überschrift mithilfe 'Top_10_2010:SubsectionColoredTemplate' hinzugefügt)

Jump to: navigation, search
← Einleitung
Top 10 fuer Entwickler-2013: Inhaltsverzeichnis

Die Top-10-Risiken

Risiko →
Neuerungen
Was hat sich von Version 2010 zu 2013 verändert?

The threat landscape for applications security constantly changes. Key factors in this evolution are advances made by attackers, the release of new technologies with new weaknesses as well as more built in defenses, and the deployment of increasingly complex systems. To keep pace, we periodically update the OWASP Top 10. In this 2013 release, we made the following changes:

  1. Broken Authentication and Session Management moved up in prevalence based on our data set,. Probably because this area is being looked at harder, not because issues are actually more prevalent. This caused Risks A2 and A3 to switch places.
  2. Cross-Site Request Forgery (CSRF) moved down in prevalence based on our data set from 2010-A5 to 2013-A8. We believe this is because CSRF has been in the OWASP Top 10 for 6 years, and organizations and framework developers have focused on it enough to significantly reduce the number of CSRF vulnerabilities in real world applications.
  3. We broadened Failure to Restrict URL Access from the 2010 OWASP Top 10 to be more inclusive:

    +     2010-A8: Failure to Restrict URL Access is now 2013-A7: Missing Function Level Access Control – to cover all of function level access control. There are many ways to specify which function is being accessed, not just the URL.

  4. We merged and broadened 2010-A7 & 2010-A9 to CREATE: 2013-A6: Sensitive Data Exposure:

    -     This new category was created by merging 2010-A7 – Insecure Cryptographic Storage & 2010-A9 - Insufficient Transport Layer Protection, plus adding browser side sensitive data risks as well. This new category covers sensitive data protection (other than access control which is covered by 2013-A4 and 2013-A7) from the moment sensitive data is provided by the user, sent to and stored within the application, and then sent back to the browser again.

  5. We added: 2013-A9: Using Components with Known Vulnerabilities:

    +     This issue was mentioned as part of 2010-A6 – Security Misconfiguration, but now has a category of its own as the growth and depth of component based development has significantly increased the risk of using components with known vulnerabilities.

OWASP Top 10 - 2010 (Previous Version) OWASP Top 10 - 2013 (Current Version)
A1-Injection A1-Injection
A3-Broken Authentication and Session Management A2-Fehler in Authentifizierung und Session-Management
A2-Cross Site Scripting (XSS) A3-Cross-Site Scripting (XSS)
A4-Insecure Direct Object Reference A4-Unsichere direkte Objektreferenzen
A6-Security Misconfiguration A5-Sicherheitsrelevante Fehlkonfiguration
A7-Insecure Cryptographic Storage - Merged with A9 --> A6-Verlust der Vertraulichkeit sensibler Daten
A8-Failure to Restrict URL Access - Broadened into --> A7-Fehlerhafte Autorisierung auf Anwendungsebene
A5-Cross Site Request Forgery (CSRF) A8-Cross-Site Request Forgery (CSRF)
<buried in A6: Security Misconfiguration> A9-Nutzung von Komponenten mit bekannten Schwachstellen
A10-Unvalidated Redirects and Forwards A10-Ungeprüfte Um- und Weiterleitungen
A9-Insufficient Transport Layer Protection Merged with 2010-A7 into 2013-A6
← Einleitung
Top 10 fuer Entwickler-2013: Inhaltsverzeichnis

Die Top-10-Risiken

Risiko →

© 2002-2013 OWASP Foundation This document is licensed under the Creative Commons Attribution-ShareAlike 3.0 license. Some rights reserved. CC-by-sa-3 0-88x31.png