This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Top 10-2017 Details About Risk Factors"

From OWASP
Jump to: navigation, search
m (underlined all links, redefined links to OWASP as internal links, repaired some links)
(Added: OWASP Top 10 Privacy Risks Project (not yet part of RC1, see comment in source))
Line 93: Line 93:
 
* <u>[https://cwe.mitre.org/data/definitions/918.html Server-Side Request Forgery (SSRF) (CWE-918)]</u>
 
* <u>[https://cwe.mitre.org/data/definitions/918.html Server-Side Request Forgery (SSRF) (CWE-918)]</u>
 
* <u>[[Top_10_2013-A10-Unvalidated_Redirects_and_Forwards|Unvalidated Redirects and Forwards]]</u> (<u>[https://cwe.mitre.org/data/definitions/601.html CWE-601]</u>) (Was 2013 Top 10 – <u>[[Top_10_2013-A10-Unvalidated_Redirects_and_Forwards|Entry 2013-A10]]</u>)
 
* <u>[[Top_10_2013-A10-Unvalidated_Redirects_and_Forwards|Unvalidated Redirects and Forwards]]</u> (<u>[https://cwe.mitre.org/data/definitions/601.html CWE-601]</u>) (Was 2013 Top 10 – <u>[[Top_10_2013-A10-Unvalidated_Redirects_and_Forwards|Entry 2013-A10]]</u>)
* <u>[[Privacy_Violation|User Privacy]]</u> (<u>[https://cwe.mitre.org/data/definitions/359.html CWE-359]</u>)
+
* <u>[[Privacy_Violation|User Privacy]]</u> (<u>[https://cwe.mitre.org/data/definitions/359.html CWE-359]</u>) <!--- not yet part of RC1 -->For defenses, see: <u>[[OWASP_Top_10_Privacy_Risks_Project|OWASP Top 10 Privacy Risks Project]]</u><!--- END: not yet part of RC1 -->
  
 
{{Top_10:SubsectionTableEndTemplate}}
 
{{Top_10:SubsectionTableEndTemplate}}

Revision as of 15:21, 23 April 2017

← Note About Risks
2017 Table of Contents

PDF version

 
Top 10 Risk Factor Summary

The following table presents a summary of the 2017 Top 10 Application Security Risks, and the risk factors we have assigned to each risk. These factors were determined based on the available statistics and the experience of the OWASP Top 10 team. To understand these risks for a particular application or organization, you must consider your own specific threat agents and business impacts. Even egregious software weaknesses may not present a serious risk if there are no threat agents in a position to perform the necessary attack or the business impact is negligible for the assets involved.


Risk Threat Agents Attack Vectors Security Weakness
(Prevalence)
Security Weakness
(Detectability)
Technical Impacts Business Impacts
A1-Injection App Specific EASY COMMON AVERAGE SEVERE App Specific
A2-Authentication App Specific AVERAGE COMMON AVERAGE SEVERE App Specific
A3-XSS App Specific AVERAGE VERY WIDESPREAD AVERAGE MODERATE App Specific
A4-Access Ctrl App Specific EASY WIDESPREAD EASY MODERATE App Specific
A5-Misconfig App Specific EASY COMMON EASY MODERATE App Specific
A6-Sens. Data App Specific DIFFICULT UNCOMMON AVERAGE SEVERE App Specific
A7-Attack Prot. App Specific EASY COMMON AVERAGE MODERATE App Specific
A8-CSRF App Specific AVERAGE UNCOMMON EASY MODERATE App Specific
A9-Vulnerable Components App Specific AVERAGE COMMON AVERAGE MODERATE App Specific
A10-API Prot. App Specific AVERAGE COMMON DIFFICULT MODERATE App Specific


Additional Risks to Consider

The Top 10 covers a lot of ground, but there are many other risks you should consider and evaluate in your organization. Some of these have appeared in previous versions of the Top 10, and others have not, including new attack techniques that are being identified all the time. Other important application security risks (in alphabetical order) that you should also consider include:

← Note About Risks
2017 Table of Contents

PDF version

 

© 2002-2017 OWASP Foundation This document is licensed under the Creative Commons Attribution-ShareAlike 3.0 license. Some rights reserved. CC-by-sa-3 0-88x31.png