Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

11/15/2009
09:23 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

The Web Application Security New Top 10 Risks

With a focus on risks, rather than only ranking software vulnerabilities, the Open Web Application Security Project (OWASP) has made a significant - and welcomed - change in how the organization rates Web application security weaknesses.

With a focus on risks, rather than only ranking software vulnerabilities, the Open Web Application Security Project (OWASP) has made a significant - and welcomed - change in how the organization rates Web application security weaknesses.The OWASP Top Ten has always been required reading for Web application developers and server administrators. But the list, as it was initially published nearly seven years ago, probably didn't mean much to the business managers and executives who need to authorize the budget, and additional time, needed to deploy reasonably secure Web applications.

One of the most profound changes, and shows how OWASP is maturing from its software development centric view to a risk view is the inclusion of Security Misconfigurations to the list. Misconfigurations and poor system change management is one of the most common - and avoidable - ways organizations shoot themselves in the security foot. Proper configuration settings, if there's any hope at keeping an application or Web server secure must be defined and put into place - and periodically validated. Misconfigurations always belonged on the list - and it's good news to see it included.

Also, for each risk, the guide details how easy the vulnerability is exploited, prevalence of the flaw, and the severity of its technical impact. The guide also explains how organizations are typically vulnerable, how to mitigate the risk, and example attacks.

Developers , server administrators, and application owners interested in maintaining secure applications should not only use the OWASP Top 10 as a technical reference guide - but also as a way to help secure the budget required to do the things that need to be done to make security part of an organization's business process.

The OWASP Top 10 Application Security Risks 2010 (release candidate) can be found at the OWAPS Web site, right here. The list includes the classes of Web risks we read about every day, as web sites and databases are pwned: Injection attacks (think buffer overflow and SQL attacks), bad authentication, cross-site scripting attacks.

While good security can never attained by checking through mere lists. Although mitigating the risks included in the OWASP Top 10 will enhance the security far beyond any Web application that does not. These vulnerabilities are typically the first doorknobs the digital burglar tries to rattle hoping to find an opening.

OWASP has excellent resources designed to help organizations improve their Web application security including the OWASP Developer's Guide, the OWASP Testing Guide, and OWASP Code Review Guide.

For my security and technology observations throughout the day, follow my Twitter account.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15820
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, the markdown parser could disclose hidden file existence.
CVE-2020-15821
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, a user without permission is able to create an article draft.
CVE-2020-15823
PUBLISHED: 2020-08-08
JetBrains YouTrack before 2020.2.8873 is vulnerable to SSRF in the Workflow component.
CVE-2020-15824
PUBLISHED: 2020-08-08
In JetBrains Kotlin before 1.4.0, there is a script-cache privilege escalation vulnerability due to kotlin-main-kts cached scripts in the system temp directory, which is shared by all users by default.
CVE-2020-15825
PUBLISHED: 2020-08-08
In JetBrains TeamCity before 2020.1, users with the Modify Group permission can elevate other users' privileges.