This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Top 10 2013-Introduction"

From OWASP
Jump to: navigation, search
(Changed use of Template 'Top_10_2010:SubsectionAdvancedTemplate': Replace Parameter 'number' by 'subsection' and 'position')
Line 29: Line 29:
 
We’d like to thank those organizations that contributed their vulnerability prevalence data to support the 2013 update:
 
We’d like to thank those organizations that contributed their vulnerability prevalence data to support the 2013 update:
 
* [https://www.aspectsecurity.com/ Aspect Security ]
 
* [https://www.aspectsecurity.com/ Aspect Security ]
* [http://www.hpenterprisesecurity.com/ HP] (Results for both Fortify and WebInspect)
+
* [http://www.hpenterprisesecurity.com/ HP] (Results for both [http://www.hp.com/go/riskreport Fortify] and WebInspect)
* [http://www.mindedsecurity.com/ Minded Security]
+
* [http://www.mindedsecurity.com/ Minded Security] – [http://blog.mindedsecurity.com/2013/02/real-life-vulnerabilities-statistics.html Statistics]
* [http://www.softtek.com/ Softtek]
+
* [http://www.softtek.com/ Softtek] – [https://www.softtek.com/webdocs/special_pdfs/WP-State-of-the-art-2013.pdf Statistics]
* [https://www.trustwave.com/ TrustWave]
+
* [https://www.trustwave.com/spiderlabs/ TrustWave Spiderlabs]
 
* [http://www.veracode.com/ Veracode] – [http://info.veracode.com/rs/veracode/images/VERACODE-SOSS-V4.PDF Statistics]
 
* [http://www.veracode.com/ Veracode] – [http://info.veracode.com/rs/veracode/images/VERACODE-SOSS-V4.PDF Statistics]
 
* [https://www.whitehatsec.com/ WhiteHat Security Inc.] – [https://www.whitehatsec.com/home/resource/stats.html  Statistics]
 
* [https://www.whitehatsec.com/ WhiteHat Security Inc.] – [https://www.whitehatsec.com/home/resource/stats.html  Statistics]

Revision as of 13:59, 16 May 2013

NOTE: THIS IS NOT THE LATEST VERSION. Please visit the OWASP Top 10 project page to find the latest edition.

[[Top 10 {{{year}}}-About OWASP|← About OWASP]]
[[Top 10 {{{year}}}-Table of Contents | {{{year}}} Table of Contents]]

[[Top_10_{{{year}}}-Top 10|{{{year}}} Top 10 List]]

[[Top 10 {{{year}}}-Release Notes|Release Notes →]]
Welcome

Welcome to the OWASP Top 10 2013! This update broadens one of categories from the 2010 version to be more inclusive of common, important vulnerabilities, and reorders some of the others based on changing prevalence data. It also brings component security into the spotlight by creating a specific category for this risk, pulling it out of the obscurity of the fine print of the 2010 risk A6: Security Misconfiguration.

The OWASP Top 10 is based on risk data from 8 firms that specialize in application security, including 4 consulting companies and 4 tool vendors (2 static and 2 dynamic). This data spans over 500,000 vulnerabilities across hundreds of organizations and thousands of applications. The Top 10 items are selected and prioritized according to this prevalence data, in combination with consensus estimates of exploitability, detectability, and impact estimates.

The primary aim of the OWASP Top 10 is to educate developers, designers, architects, managers, and organizations about the consequences of the most important web application security weaknesses. The Top 10 provides basic techniques to protect against these high risk problem areas – and also provides guidance on where to go from here.

Warnings

Don’t stop at 10. There are hundreds of issues that could affect the overall security of a web application as discussed in the OWASP Developer’s Guide. This is essential reading for anyone developing web applications today. Guidance on how to effectively find vulnerabilities in web applications are provided in the OWASP Testing Guide and OWASP Code Review Guide, which have both been significantly updated since the previous release of the OWASP Top 10.

Constant change. This Top 10 will continue to change. Even without changing a single line of your application’s code, you may become vulnerable as new flaws are discovered. Please review the advice at the end of the Top 10 in “What’s Next For Developers, Verifiers, and Organizations” for more information.

Think positive. When you’re ready to stop chasing vulnerabilities and focus on establishing strong application security controls, OWASP has produced the Application Security Verification Standard (ASVS) as a guide to organizations and application reviewers on what to verify.

Use tools wisely. Security vulnerabilities can be quite complex and buried in mountains of code. In many cases, the most cost-effective approach for finding and eliminating these weaknesses is human experts armed with good tools.

Push left. Focus on making security an integral part of your culture throughout your development organization. Find out more in the Open Software Assurance Maturity Model (SAMM) and the Rugged Handbook.

Acknowledgements

Thanks to Aspect Security for initiating, leading, and updating the OWASP Top 10 since its inception in 2003, and to its primary authors: Jeff Williams and Dave Wichers.

We’d like to thank those organizations that contributed their vulnerability prevalence data to support the 2013 update:

[[Top 10 {{{year}}}-About OWASP|← About OWASP]]
[[Top 10 {{{year}}}-Table of Contents | {{{year}}} Table of Contents]]

[[Top_10_{{{year}}}-Top 10|{{{year}}} Top 10 List]]

[[Top 10 {{{year}}}-Release Notes|Release Notes →]]

© 2002-2013 OWASP Foundation This document is licensed under the Creative Commons Attribution-ShareAlike 3.0 license. Some rights reserved. CC-by-sa-3 0-88x31.png
[[Category:OWASP Top Ten {{{year}}} Project]]