OWASP Top 10 RC
OWASP is getting ready to finalize a new Top 10 list for 2010. The request for comments ends on December 31, 2009. In the beta version, there are a few items worth noting about the new list. Injection vulnerabilities look like they will overtake the number one spot on the list. Here is a quick rundown of what was added or removed.
Added
Security Misconfiguration – this applies to the configuration of the application itself, and all frameworks or servers associated with it. WCF has moved a lot of information into the configuration files and it is very easy to make a mistake. It is important to make sure that not only are servers patched, but also any libraries or third-party components.
Unvalidated Redirects and Forwards – it is important that when redirecting users, input is validated correctly. Make sure you know where the uri is coming from and that it cannot be tampered with by outsiders.
Removed
Malicious File Execution – this was largely associated with PHP applications, but PHP has been updated. Frameworks are being shipped with more default security turned on to help protect against this. Just because this is off of the top 10, it should not be overlooked. It is still a very dangerous item.
Information Leakage and Improper Error Handling – this involves blocking stack traces and other internal only messages from being sent to the client. I believe that this is still a very important issue because it can lead to disclosing important information, like directory structures or database schemas. I see this type of vulnerability regularly, so beware, it is still a high priority.
OWASP has done a great job of putting together a power point and a pdf document outlining the top 10 list. I encourage you to take some time and read over their materials. OWASP top 10 can be found at http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project