We presented a webinar(it will be online shortly) a couple weeks ago on Secure Software Development Life cycle practices and we talked about OWASP, The Open Web Application Security Project. An attendee asked where they could find the OWASP Top Ten and I thought it would be useful to let everyone know about the OWASP Top Ten.
OWASP has released a draft of their top 10 web application security risks for 2010.(NOTE: large PDF)
This draft will consider public comment and release a final version finished up by the end of the first quarter of 2010.
As you know, web applications are usually the most vulnerable components of a website so OWASP is doing a great service by including these attacks, the risks, and the prevention methods. Two new security risks have replaced last Malicious File Execution and Information Leakage and Improper Error Handling from the previous 2007 list. These new security risks are Security Misconfiguration and Unvalidated Redirects and Forwards. The inclusion of Security Misconfiguration demonstrates how OWAS is now focusing on a risk view instead of just the software development.
But what enterprises will most appreciate about this new list is that it seems to be accessible by not just security professionals but by the company decision-makers. Rather than just discuss the security exploits, the document goes on to explain the technical impacts and business ramifications. OWASP takes on a risk assessment approach with this list, which is a mature viewpoint in terms of providing security.
The 2007 list relied on the frequency associated with each weakness to determine, but now the list ranks each item based on risk. In this way, the list is about the top risks rather than simply the most common weaknesses.
Risks are broken down into attack vector exploitability, security prevalence and detectability, and technical and business impacts. Each part of the risk is ranked in red, orange, or yellow to show the threat.
Attack vectors shown in red are those which are easily exploited by an attacker. For example, Injection attacks are easily exploitable because they only require a simple text-based attack. The prevalence risk shows how often these vulnerabilities occur and the detectability risk shows how easy the vulnerabilities are to detect. Finally, the technical and business impacts discuss how much damage an attacker could cause from the weakness.
This risk assessment approach to security is a very wise step for OWASP and something we have been doing for clients since 2004. It is neither possible nor economically feasible to guarantee 100% security, so security issues must instead be budgeted based on risk. The list allows companies to consider which risks to worry about by considering their frequency, prevention costs, and impact.
You must log in to post a comment.