Thursday, March 25, 2010

OWASP Top 10 – Top Five Thoughts

By: Shay Zalalichin, CISSP
CTO, Comsec Consulting

The Open Web Application Security Project, better known in the AppSec world as OWASP, released the new OWASP Top 10 most critical Web application vulnerabilities for 2010 (which is updated about every three years). Since this list is so highly regarded in the AppSec community, I felt it important to highlight some elements.

OWASP Top 10 – Top Five Thoughts




1. Not just statistics –This time around OWASP didn't simply rank weaknesses/vulnerabilities by prevalence, but changed the model and decided to rank the Top 10 by risk (of which the vulnerability is only one factor). This is a new weighted approach, and gives a better picture of the overall risk.

2. A nice element is the new tool provided in the document that helps your average user assess their risk level. Albeit this matrix is a bit more complex than the NIST SP800-30 model which is pretty straightforward (compare figure 1 and 2), it is quite a useful tool for risk assessment.


Figure 1



Figure 2

3. Onto the Top 10 itself – The PHP-oriented Malicious File Execution and Information Leakage vulnerabilities were removed since their weighted risk potential is lower than the two new risks. The Security Misconfigurations vulnerability appeared in the 2004 T10 was removed in 2007 – and has now made a comeback.

4. It should be noted that if the OWASP Top 10 was more frequently published, Unvalidated Redirects which is mostly manifested in Phishing attacks and authorization bypass would likely have been included quite a while ago—since it has been relevant for a few years now.

5. In general, this is a good piece for awareness purposes, and to teach about common risks, but organizations should note that there are plenty of other risks – risks that result from specific technologies integrated within your organization, and that the OWASP T10 is only a starting point. Also, users should be cognizant of the fact that the OWASP T10 are only relevant to Web applications—and client-server apps etc. are subject to additional risks such as buffer overflow and others, that are quite common to languages such C/C++.



You can download the new OWASP Top 10 document from:
http://www.owasp.org/index.php/File:OWASP_T10_-_2010_rc1.pdf

You can download the NIST Risk Management Guide for Information Technology Systems from: http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf