Friday, November 20, 2009

OWASP 2010 RC

OWASP has released the release candidate of the new version of Top 10, it is now moving from a vulnerability based to risk based rating system. Instead of identifying the vulnerabilities, it tries to portray the attack vectors, the security weaknesses, and the real impact. Once we have all these relevant details, the missing piece to identify the organization's specific risk is the value of the asset.  


One of the changes that I wanted to see, configuration weakness has been included in this. It is one of the most prevalent issue today, organizations may have a very secure code but if you allow insecure HTTP methods like DELETE or MKCOL in IIS, then it is a welcome message to the hackers.  


This release added "unvalidatedredirects", which is a redirection of pages. Even though it is a considerable risk, it is difficult to exploit, I would have kept the "improper error handling" right there.  


Major changes are given below.  


1)We clarified that the Top 10 is about the Top 10 Risks, not the Top 10 most common weaknesses. See the details on the "Understanding Application Security Risk" page below. 2)We changed our ranking methodology to estimate risk, instead of relying solely on the frequency of the associated weakness. This affects the ordering of the Top 10 somewhat, as you can see in the table below. 3)We replaced two items on the list with two new items: +ADDED: A6 -Security Misconfiguration. This issue was A10 in the Top 10 from 2004: Insecure Configuration Management, but was dropped because it wasn't thought of as a software issue. However, from an organizational risk and prevalence perspective, it clearly merits re-inclusion in the Top 10, and so now it's back. +ADDED: A8 -UnvalidatedRedirects and Forwards. This issue is making its debut in the Top 10. The evidence shows that this relatively unknown issue is widespread and can cause significant damage. -REMOVED: A3 -Malicious File Execution. This is still a significant problem in many different environments. However, its prevalence in 2007 was inflated by large numbers of PHP applications with this problem. PHP is now shipped with more default security, lowering the prevalence of this problem. -REMOVED: A6 -Information Leakage and Improper Error Handling. This issue is extremely prevalent, but the impact of disclosing stack trace and error message information is typically minimal.  


Note that this is only a release candidate and you are welcome to submit your comments to the OWASP team.

No comments: