The Open Web
Application Security Project (OWASP) is an open community dedicated to enabling
organizations to develop, purchase, and maintain applications that can be
trusted. All of the OWASP tools,
Documents, forums, and chapters are free and open to anyone interested
in improving application security. We advocate approaching application security
as a people, process, and technology problem, because the most effective
approaches to application security require improvements in all of these areas.
OWASP is a new kind
of organization. Our freedom from commercial pressures allows us to provide
unbiased, practical, cost-effective information about application security.
OWASP is not affiliated with any technology company, although we support the
informed use of commercial security technology. Similar to many open-source
software projects, OWASP produces many types of materials in a collaborative,
open way.
The OWASP Foundation
is the non-profit entity that ensures the project’s long-term success. Almost
everyone associated with OWASP is a volunteer, including the OWASP Board,
Global Committees, Chapter Leaders, Project Leaders, and project members. We
support innovative security research with grants and infrastructure.
OWASP Top 10
–2007 (Previous)
|
OWASP Top 10
–2010 (New)
|
A2 –Injection
Flaws
|
A1 –Injection
|
A1 –CrossSite
Scripting (XSS)
|
A2 –Cross-Site
Scripting (XSS)
|
A7 –Broken
Authentication and Session Management
|
A3 –Broken
Authentication and Session Management
|
A4 –Insecure
Direct Object Reference
|
A4 –Insecure
Direct Object References
|
A5 –Cross Site
Request Forgery (CSRF)
|
A5 –Cross-Site
Request Forgery (CSRF)
|
<was T10
2004 A10 –Insecure Configuration Management>
|
A6 –Security
Misconfiguration(NEW)
|
A8 –Insecure Cryptographic
Storage
|
A7 –Insecure
Cryptographic Storage
|
A10 –Failure to
Restrict URL Access
|
A8 –Failure to
Restrict URL Access
|
A9
–InsecureCommunications
|
A9
–Insufficient Transport Layer Protection
|
<not in T10
2007>
|
A10
–UnvalidatedRedirects and Forwards (NEW)
|
A3–Malicious
File Execution
|
<dropped
fromT102010>
|
A6 –Information
Leakage and Improper Error Handling
|
<droppedfrom
T102010>
|
No comments:
Post a Comment