OWASP releases ‘Top Ten’ for 2010

Open Web Application Security Project has come out with the top ten web application security risks for the year 2010. The following table makes a comparative analysis between OWASP Top 10 – 2007 & OWASP Top 10 – 2010

Top 10 2010 OWASP

As compared to the OWASP top ten of 2007, it may be observed that more weightage has been given to broken or missing security controls rather than being organised around the attack or impact.

It has been reasoned that Malicious file execution has been removed due to the reduction in the prevalence of this vulnerability. Also information leakage has been dropped because it focuses on implementation details such as IP addresses and stack traces, not sensitive business or personal information. Though display of such information is not good, it is not a risk by itself. It increases the chances of making another risk worse.

A word on newly added vulnerabilities:-

Unvalidated Redirects and Forwards: Web application redirects are very common and frequently include user supplied parameters in the destination URL.  If they aren’t validated, attacker can send victim to a site of their choice.

Security Misconfiguration: Security misconfiguration can happen at any level of an application stack, including the platform, web server, application server, framework, and custom code. Developers and network administrators need to work together to ensure that the entire stack is configured properly.