With a focus on risks, rather than only ranking software vulnerabilities, the Open Web Application Security Project (OWASP) has made a significant - and welcomed - change in how the organization rates Web application security weaknesses.The OWASP Top Ten has always been required reading for Web application developers and server administrators. But the list, as it was initially published nearly seven years ago, probably didn't mean much to the business managers and executives who need to authorize the budget, and additional time, needed to deploy reasonably secure Web applications.
One of the most profound changes, and shows how OWASP is maturing from its software development centric view to a risk view is the inclusion of Security Misconfigurations to the list. Misconfigurations and poor system change management is one of the most common - and avoidable - ways organizations shoot themselves in the security foot. Proper configuration settings, if there's any hope at keeping an application or Web server secure must be defined and put into place - and periodically validated. Misconfigurations always belonged on the list - and it's good news to see it included.
Also, for each risk, the guide details how easy the vulnerability is exploited, prevalence of the flaw, and the severity of its technical impact. The guide also explains how organizations are typically vulnerable, how to mitigate the risk, and example attacks.
Developers , server administrators, and application owners interested in maintaining secure applications should not only use the OWASP Top 10 as a technical reference guide - but also as a way to help secure the budget required to do the things that need to be done to make security part of an organization's business process.
The OWASP Top 10 Application Security Risks 2010 (release candidate) can be found at the OWAPS Web site, right here. The list includes the classes of Web risks we read about every day, as web sites and databases are pwned: Injection attacks (think buffer overflow and SQL attacks), bad authentication, cross-site scripting attacks.
While good security can never attained by checking through mere lists. Although mitigating the risks included in the OWASP Top 10 will enhance the security far beyond any Web application that does not. These vulnerabilities are typically the first doorknobs the digital burglar tries to rattle hoping to find an opening.
For my security and technology observations throughout the day, follow my Twitter account.