OWASP Top 10 – 2010 - Web Admin Blog

OWASP Top 10 – 2010

Nov.13, 2009 in OWASP AppSec DC 2009, Web Application Security

This presentation was by Dave WIchers, COO of Aspect Security and an OWASP Board Member. My notes are below:

What’s Changed?

It’s about Risks, not just vulnerabilities
- New title is: “The Top 10 Most Critical Web Application Security Risks”
OWASP Top 10 Risk Rating Methodology
- Based on the OWASP Risk Rating Methodology, used to prioritize Top 10
2 Risks Added, 2 Dropped
- Added: A6 – Security Misconfiguration
  - Was A10 in 2004 Top 10: Insecure Configuration Management
- Added: A8 – Unvalidated Redirects and Forwards
  - Relatively common and VERY dangerous flaw that is not well know
- Removed: A3 – Malicious File Execution
  - Primarily a PHP flaw that is dropping in prevalence
- Removed: A6 – Information Leakage and Improper Error Handling
  - A very prevalent flaw, that does not introduce much risk (normally)

A1- Injection: Tricking an application into including unintended commands in the data sent to an interpreter. (http://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet)
A2 – Cross Site Scripting (XSS): Raw data from attacker is sent to an innocent user’s browser. For large chunks of user supplied HTML, use OWASP’s AntiSamy to sanitize this HTML to make it safe. (http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet)
A3 – Broken Authentication and Session Management: Means credentials have to go with every request. Should use SSL for everything requiring authentication.
A4 – Insecure Direct Object Reference: This is part of enforcing proper “Authorization”, along with A7 – Failure to Restrict URL Access.
A5 – Cross Site Request Forgery (CSRF): An attack where the victim’s browser is tricked into issuing a command to a vulnerable web application. Vulnerability is caused by browsers automatically including user authentication data with each request. (Check out OWASP CSRFGuard, OWASP CSRFTester, http://www.owasp.org/index.php/CSRF_Prevention_Cheat_Sheet)
A6 – Security Misconfiguration: All through the network and platform. Don’t forget the development environment. Think of all the places your source code goes. All credentials should change in production.
A7 – Failure to Restrict URL Access: This is part of enforcing proper “authorization”, along with A4 – Insecure Direct Object References.
A8 – Unvalidated Redirects and Forwards: Web application redirects are very common and frequently include user supplied parameters in the destination URL. If they aren’t validated, attacker can send victim to a site of their choice.
A9 – Insecure Cryptographic Storage: Storing sensitive data insecurely. Failure to identify all sensitive data. Failure to identify all the places that this sensitive data gets stored. Failure to properly protect this data in every location.
A10 – Insufficient Transport Layer Protection

OWASP Top 10 Risk Rating Methodology

Attack Vector (How hard for an attacker to use this flaw – 1 (Easy), 2 (Average), 3 (Difficult))
Weakness Prevalence (How often is it found – 1 (Widespread), 2 (Common), 3 (Uncommon))
Weakness Detectability (How hard is it for an attacker to find the flaw – 1 (Easy), 2 (Average), 3 (Difficult))
Technical Impact (1 (Severe), 2 (Moderate), 3 (Minor))

This is generic across the internet, not specific to any organization.

Started a new “Prevention Cheatsheet Series” that the Top 10 references (XSS, SQL Injection, Transport Layer Security, CSRF, Direct Object Reference).

What is actually being released is RC1 of the Top 10 and they are encouraging people to provide comments through the end of the year and then use that feedback to post the final Top 10 in January 2010.

Tags: 2010, application, authentication, broken, critical, cross, direct, forgery, forwards, injection, insecure, Management, misconfiguration, object, owasp, redirects, reference, request, risks, scripting, Security, session, site, sql, top 10, unvalidated, web, xss

Welcome to WebAdminBlog!

This blog site is run by Josh Sokol, the Founder and CEO of SimpleRisk, a free tool for Governance, Risk Management, and Compliance. Josh is a former Web Admin and Information Security Program Owner of National Instruments.

Categories
Recent Posts
Recent Comments
devops
Links
Security
Tags
21ct agile amazon analysis application appsec attack aws browser cloud Cloud Computing code Conferences data devops ec2 firewall google hansen internet lynxeon malware Management network Operations owasp PCI performance project rsnake SaaS secure Security strategies velocity velocity08 velocityconf velocityconf08 velocityconf09 Virtualization vpn vulnerability waf web wifi
Categories
- Advertising (2)
- Application Performance Management (14)
- Automation (4)
- Browsers (4)
- Cloud Computing (9)
  - Elastic Compute Cloud (3)
- Conferences (64)
  - BSides Austin 2013 (1)
  - BSides Austin 2016 (1)
  - OWASP AppSec DC 2009 (16)
  - OWASP AppSec NYC 2008 (18)
  - OWASP LASCON 2017 (1)
  - OWASP LASCON 2018 (1)
  - TRISC 2009 (8)
  - Velocity 2008 (8)
  - Velocity 2009 (8)
- Content Management (2)
- Featured (3)
- Green Computing (1)
- High Availability (1)
- Log Management (2)
- Management (4)
- Monitoring (4)
- Networking (12)
  - Firewalls (4)
  - NetFlow (4)
- Operating Systems (2)
  - Linux (2)
  - Mac OSX (1)
  - Unix (2)
- Operations (11)
- Popular (2)
- SaaS (2)
- Sarcasm (1)
- Search (1)
  - Enterprise Search (1)
- Security (75)
  - Access Management (1)
  - Capture the Flag (4)
  - Cloud Computing (4)
  - Compliance (1)
  - Disaster Recovery (1)
  - Malware (4)
  - Metrics (2)
  - OWASP (2)
  - PCI (2)
  - Phishing (2)
  - Physical (1)
  - Risk Management (2)
  - Virtualization (3)
  - Web Application Security (32)
    - Dynamic Analysis (1)
    - Static Analysis (1)
  - Wireless Networks (5)
- Service-Oriented Architecture (1)
- Software and Tools (15)
  - Crashplan (1)
  - Drobo (1)
  - GRC (1)
- Training (2)
- Uncategorized (1)
- Virtualization (4)

Blogroll
- Agile Operations Blog
- Agile Testing
- Agile Web Operations
- Amazon Web Services Blog
- dev2ops – Web Ops at Scale
- Gilligan on Data Web Analytics pro tips
- ISSA Home The Information Systems Security Association (ISSA)® is a not-for-profit, international organization of information security professionals and practitioners.
- Kitchen Soap, A WebOps Blog
- Michael Howard's Blog Software security guy at Microsoft.
- National Instruments Home The majority of the contributers here are current or past NI employees.
- OWASP Home The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software.
- RSnake's Blog ha.ckers.org web application security lab
- Server Fault
- Steve Souders’ Blog Google High Performance Guru
- The Madstop
- The Open Minded Enterprise
- The Simple Logic
- Transparent Uptime blog
Archives
- March 2019
- October 2017
- April 2016
- January 2016
- December 2015
- May 2015
- November 2014
- August 2014
- June 2014
- May 2014
- October 2013
- September 2013
- August 2013
- May 2013
- March 2013
- February 2013
- October 2012
- May 2011
- April 2011
- December 2010
- July 2010
- June 2010
- April 2010
- March 2010
- February 2010
- January 2010
- November 2009
- September 2009
- July 2009
- June 2009
- April 2009
- March 2009
- February 2009
- January 2009
- December 2008
- October 2008
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
Tag Cloud
21ct agile amazon analysis application appsec attack aws browser cloud Cloud Computing code Conferences data devops ec2 firewall google hansen internet lynxeon malware Management network Operations owasp PCI performance project rsnake SaaS secure Security strategies velocity velocity08 velocityconf velocityconf08 velocityconf09 Virtualization vpn vulnerability waf web wifi

Web Admin Blog

Real Web Admins. Real World Experience.

OWASP Top 10 – 2010

Leave a Reply

Welcome to WebAdminBlog!

Categories

Recent Posts

Recent Comments

devops

Links

Security

Categories

Blogroll

Archives

Tag Cloud