OWASP Top 10 2013 Released 17
hypnosec writes "OWASP's Top 10, the Open Web Application Security Project's top 10 most critical web application security risks, has been updated and a new list for 2013 published. Last updated back in 2010, the organization has published the new list wherein the importance of cross-site scripting (XSS) and cross-site request forgery (CRSF) has been diluted a little, while risks related to broken session management and authentication have moved up a notch. Code injection, which was the topmost risk in 2010, has retained its position in the updated list. The 2013 Top Ten list (PDF) has been compiled based on half a million vulnerabilities discovered in thousands of applications from hundreds of vendors."
Irony (Score:5, Funny)
Re: (Score:1)
Re: (Score:2)
What vulnerabilities exist in the PDF format? You seem to be incorrectly conflating issues with a single PDF reader with the format.
The same vulnerabilities exist in many PDF readers, such as JavaScript and remote file access, even if implemented differently in the various applications.
I guess no formats are vulnerable by that reasoning; there is no vulnerability in Flash or Word formats either; it's just the players.
Non-PDF link (Score:4, Informative)
https://www.owasp.org/index.php/Top10 [owasp.org]
These look familiar (Score:2)
The really sad part about the OWASP Top 10 lists is that they don't change very much. In a perfect world, none of the 2010 top 10 would be on this list, because they would be solved, but the fact of the matter is that most organizations don't care.
Minor criticisms of top 10 list (Score:4, Informative)
1. I don't understand why XSS and Injection are listed as separate items. XSS attacks are by definition injection attacks. I think separating this out de-emphasizes an important conceptual understanding applicable to a lot more domains than databases and html. To their credit they say as much.
Referer checking should not have been kept out of the mitigation section for CSRF.
"Using components with known vulnerabilities" (A9) appears to be a subset of "Security misconfiguration" (A5)
The Detectibility scale is screwed up in my opinion. Every single item is either average or easy except Difficult designation of 'Using components with known vulnerabilities' (A9)... How hard can it be to check current versions of libraries your system is using? What makes A5 easy and A9 hard?
"Sensitive data exposure" (A6) I don't think belongs in the list. It is a political item... yea encrypting sounds good but at some point you need to store a decryption key to decrypt what is encrypted - management of keys and physical systems security and infrastructure is important but I'm not sure it fits within the context of the other items which are about preventing specific attacks not about how to make being owned less bad.
What I think is missing is focus on huge problem of tricking users via phishing / "homographic" attacks. First and foremost the whole concept of typing a password into a web form to login is fundementally fucked up. Its right up there with fake padlock icons displayed on web sites and "two-factor" banking site picturegram logins. The industry needs to fix this shit because they are making things worse by manipulating their users into thinking they are safe with totally irrelevant security assertions which phishers are more than happy to leverage to maximum effect.
Users should be trained to ONLY type passwords into special dialouges within their browsers. We deseperatly need a web authentication scheme with channel bindings that don't suck ass (e.g. sent in clear or offline brute force attacks). The closest thing to deployed that fits the bill I know of is TLS-SRP.
Re: (Score:2)
I think they are referring to how easy it is for someone else to figure that out.