This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Top 10-2017 Introduction"

From OWASP
Jump to: navigation, search
m (deleted doubled 'language=en')
m (underlined all links, redefined links to OWASP as internal links)
Line 24: Line 24:
 
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=freetext|position=left|title={{Top_10:LanguageFile|text=warnings|language=en}}|year=2017|language=en}}
 
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=freetext|position=left|title={{Top_10:LanguageFile|text=warnings|language=en}}|year=2017|language=en}}
  
'''Don’t stop at 10.''' There are hundreds of issues that could affect the overall security of a web application as discussed in the [https://www.owasp.org/index.php/OWASP_Guide_Project OWASP Developer’s Guide] and the [https://www.owasp.org/index.php/Cheat_Sheets OWASP Cheat Sheet Series]. These are essential reading for anyone developing web applications. Guidance on how to effectively find vulnerabilities in web applications is provided in the [https://www.owasp.org/index.php/Category:OWASP_Testing_Project OWASP Testing Guide] and the [https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project OWASP Code Review Guide].
+
'''Don’t stop at 10.''' There are hundreds of issues that could affect the overall security of a web application as discussed in the <u>[[OWASP_Guide_Project| OWASP Developer’s Guide]]</u> and the <u>[[Cheat_Sheets| OWASP Cheat Sheet Series]]</u>. These are essential reading for anyone developing web applications. Guidance on how to effectively find vulnerabilities in web applications is provided in the <u>[[Category:OWASP_Testing_Project| OWASP Testing Guide]]</u> and the <u>[[Category:OWASP_Code_Review_Project| OWASP Code Review Guide]]</u>.
  
 
'''Constant change.''' This Top 10 will continue to change. Even without changing a single line of your application’s code, you may become vulnerable as new flaws are discovered and attack methods are refined. Please review the advice at the end of the Top 10 in “What’s Next For Developers, Verifiers, and Organizations” for more information.
 
'''Constant change.''' This Top 10 will continue to change. Even without changing a single line of your application’s code, you may become vulnerable as new flaws are discovered and attack methods are refined. Please review the advice at the end of the Top 10 in “What’s Next For Developers, Verifiers, and Organizations” for more information.
  
'''Think positive.''' When you’re ready to stop chasing vulnerabilities and focus on establishing strong application security controls, OWASP has produced the [https://www.owasp.org/index.php/ASVS Application Security Verification Standard (ASVS)] as a guide to organizations and application reviewers on what to verify.
+
'''Think positive.''' When you’re ready to stop chasing vulnerabilities and focus on establishing strong application security controls, OWASP has produced the <u>[[ASVS| Application Security Verification Standard (ASVS)]]</u> as a guide to organizations and application reviewers on what to verify.
  
 
'''Use tools wisely.''' Security vulnerabilities can be quite complex and buried in mountains of code. In many cases, the most cost-effective approach for finding and eliminating these weaknesses is human experts armed with good tools.
 
'''Use tools wisely.''' Security vulnerabilities can be quite complex and buried in mountains of code. In many cases, the most cost-effective approach for finding and eliminating these weaknesses is human experts armed with good tools.
  
'''Push left, right, and everywhere.''' Focus on making security an integral part of your culture throughout your development organization. Find out more in the [https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model Open Software Assurance Maturity Model (SAMM)] and the [http://ruggedsoftware.org/  Rugged Handbook].
+
'''Push left, right, and everywhere.''' Focus on making security an integral part of your culture throughout your development organization. Find out more in the <u>[[Category:Software_Assurance_Maturity_Model| Open Software Assurance Maturity Model (SAMM)]]</u> and the <u>[http://ruggedsoftware.org/  Rugged Handbook]</u>.
  
 
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=freetext|position=right|title={{Top_10:LanguageFile|text=attribution|language=en}}|year=2017|language=en}}
 
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=freetext|position=right|title={{Top_10:LanguageFile|text=attribution|language=en}}|year=2017|language=en}}
Thanks to [https://www.aspectsecurity.com/ Aspect Security] for initiating, leading, and updating
+
Thanks to <u>[https://www.aspectsecurity.com/ Aspect Security]</u> for initiating, leading, and updating
 
the OWASP Top 10 since its inception in 2003, and to its
 
the OWASP Top 10 since its inception in 2003, and to its
 
primary authors: Jeff Williams and Dave Wichers.
 
primary authors: Jeff Williams and Dave Wichers.
  
 
<center>
 
<center>
[https://www.aspectsecurity.com https://www.owasp.org/images/5/51/Aspect_Logo.png]
+
<u>[https://www.aspectsecurity.com https://www.owasp.org/images/5/51/Aspect_Logo.png]</u>
 
</center>
 
</center>
  
Line 47: Line 47:
 
update, including these large data set providers:
 
update, including these large data set providers:
 
<ul style="columns: 2; -webkit-columns: 2; -moz-columns: 2;">
 
<ul style="columns: 2; -webkit-columns: 2; -moz-columns: 2;">
<li>[https://www.aspectsecurity.com/ Aspect Security]</li>
+
<li><u>[https://www.aspectsecurity.com/ Aspect Security]</u></li>
<li>[http://www.brandingbrand.com/ Branding Brand]</li>
+
<li><u>[http://www.brandingbrand.com/ Branding Brand]</u></li>
<li>[https://www.edgescan.com/ EdgeScan]</li>
+
<li><u>[https://www.edgescan.com/ EdgeScan]</u></li>
<li>[https://www.mindedsecurity.com/ Minded Security]</li>
+
<li><u>[https://www.mindedsecurity.com/ Minded Security]</u></li>
<li>[http://www.softtek.com/ Softtek]</li>
+
<li><u>[http://www.softtek.com/ Softtek]</u></li>
<li>[https://www.veracode.com/ Veracode]</li>
+
<li><u>[https://www.veracode.com/ Veracode]</u></li>
<li>[https://www.astechconsulting.com/ AsTech Consulting]</li>
+
<li><u>[https://www.astechconsulting.com/ AsTech Consulting]</u></li>
<li>[https://www.contrastsecurity.com/ Contrast Security]</li>
+
<li><u>[https://www.contrastsecurity.com/ Contrast Security]</u></li>
<li>[https://www.ibliss.com.br/ iBLISS]</li>
+
<li><u>[https://www.ibliss.com.br/ iBLISS]</u></li>
<li>[https://www.paladion.net/ Paladion Networks]</li>
+
<li><u>[https://www.paladion.net/ Paladion Networks]</u></li>
<li>[http://www.vantagepoint.sg/ Vantage Point]</li>
+
<li><u>[http://www.vantagepoint.sg/ Vantage Point]</u></li>
 
</ul>
 
</ul>
  
 
For the first time, all the data contributed to a Top 10 release,
 
For the first time, all the data contributed to a Top 10 release,
and the full list of contributors, is [https://github.com/OWASP/Top10/blob/master/2017/datacall/OWASP%20Top%2010%20-%202017%20Data%20Call-Public%20Release.xlsx?raw=true publicly available].
+
and the full list of contributors, is <u>[https://github.com/OWASP/Top10/blob/master/2017/datacall/OWASP%20Top%2010%20-%202017%20Data%20Call-Public%20Release.xlsx?raw=true publicly available]</u>.
  
 
We would like to thank in advance those who contribute
 
We would like to thank in advance those who contribute
Line 67: Line 67:
 
update to the Top 10 and to:
 
update to the Top 10 and to:
 
<ul>
 
<ul>
   <li>[mailto:[email protected] Neil Smithline] ([https://www.autodesk.com Autodesk])– For producing the wiki version of this Top 10 release</li>
+
   <li><u>[mailto:[email protected] Neil Smithline]</u> (<u>[https://www.autodesk.com Autodesk]</u>) – For producing the wiki version of this Top 10 release</li>
 
</ul>
 
</ul>
 
And finally, we’d like to thank in advance all the translators out
 
And finally, we’d like to thank in advance all the translators out

Revision as of 17:12, 23 April 2017

← About OWASP
2017 Table of Contents

PDF version

Release Notes →
Welcome

Welcome to the OWASP Top 10 2017! This major update adds two new vulnerability categories for the first time: (1) Insufficient Attack Detection and Prevention and (2) Underprotected APIs. We made room for these two new categories by merging the two access control categories (2013-A4 and 2013-A7) back into Broken Access Control (which is what they were called in the OWASP Top 10 - 2004), and dropping 2013-A10: Unvalidated Redirects and Forwards, which was added to the Top 10 in 2010.

The OWASP Top 10 for 2017 is based primarily on 11 large datasets from firms that specialize in application security, including 8 consulting companies and 3 product vendors. This data spans vulnerabilities gathered from hundreds of organizations and over 50,000 real-world applications and APIs. The Top 10 items are selected and prioritized according to this prevalence data, in combination with consensus estimates of exploitability, detectability, and impact.

The primary aim of the OWASP Top 10 is to educate developers, designers, architects, managers, and organizations about the consequences of the most important web application security weaknesses. The Top 10 provides basic techniques to protect against these high risk problem areas – and also provides guidance on where to go from here.

Warnings

Don’t stop at 10. There are hundreds of issues that could affect the overall security of a web application as discussed in the OWASP Developer’s Guide and the OWASP Cheat Sheet Series. These are essential reading for anyone developing web applications. Guidance on how to effectively find vulnerabilities in web applications is provided in the and the .

Constant change. This Top 10 will continue to change. Even without changing a single line of your application’s code, you may become vulnerable as new flaws are discovered and attack methods are refined. Please review the advice at the end of the Top 10 in “What’s Next For Developers, Verifiers, and Organizations” for more information.

Think positive. When you’re ready to stop chasing vulnerabilities and focus on establishing strong application security controls, OWASP has produced the Application Security Verification Standard (ASVS) as a guide to organizations and application reviewers on what to verify.

Use tools wisely. Security vulnerabilities can be quite complex and buried in mountains of code. In many cases, the most cost-effective approach for finding and eliminating these weaknesses is human experts armed with good tools.

Push left, right, and everywhere. Focus on making security an integral part of your culture throughout your development organization. Find out more in the and the Rugged Handbook.

Attribution

Thanks to Aspect Security for initiating, leading, and updating the OWASP Top 10 since its inception in 2003, and to its primary authors: Jeff Williams and Dave Wichers.

Aspect_Logo.png

We’d like to thank the many organizations that contributed their vulnerability prevalence data to support the 2017 update, including these large data set providers:

For the first time, all the data contributed to a Top 10 release, and the full list of contributors, is publicly available.

We would like to thank in advance those who contribute significant constructive comments and time reviewing this update to the Top 10 and to:

And finally, we’d like to thank in advance all the translators out there that will translate this release of the Top 10 into numerous different languages, helping to make the OWASP Top 10 more accessible to the entire planet

← About OWASP
2017 Table of Contents

PDF version

Release Notes →
© 2002-2017 OWASP Foundation This document is licensed under the Creative Commons Attribution-ShareAlike 3.0 license. Some rights reserved. CC-by-sa-3 0-88x31.png
Retrieved from "https://wiki.owasp.org/index.php?title=Top_10-2017_Introduction&oldid=229038"