12:10 PM
Justin
, Posted in
OWASP
,
web app sec
,
0 Comments
The 2013 OWASP top 10 has been released, and sad to say the number one spot has not changed since the last top 10 in 2010.....Injection!
|
OWASP Top 10 – 2013
|
|
A1 – Injection
|
|
A2 – Broken Authentication
and Session Management
|
|
A3 – Cross-Site Scripting
(XSS)
|
|
A4 – Insecure Direct
Object References
|
|
A5 – Security
Misconfiguration
|
|
A6 – Sensitive Data
Exposure
|
|
A7 – Missing Function
Level Access Control
|
|
A8 – Cross-Site Request
Forgery (CSRF)
|
|
A9 – Using Known
Vulnerable Components
|
|
A10 – Unvalidated
Redirects and Forwards
|
Back in 2011 I referenced Troy Hunt's
excellent ebook reference for the 2010 OWASP top 10. If you didn't go get it then, download it now.
6:34 PM
Richard
, Posted in
app security
,
OWASP
,
0 Comments
3:34 PM
Justin
, Posted in
book review
,
OWASP
,
security
,
0 Comments
Microsoft MVP Troy Hunt has put together a free eBook on the OWASP top 10 for .Net Developers.
Go download it! It'll be the best free book you buy all year.
5:21 PM
Justin
, Posted in
OWASP
,
security
,
0 Comments
Security is hard right? It must be or everybody would be doing it right. OWASP have released their new Top 10 web vulnerabilites for 2010, which still contains 7 of the items in the top 10 from 2007 and 6 items from the 2004 top ten. Progress in educating developers and eliminating some of the biggest threats seems slow. I'm not sure why.
I (along fellow Security Circus poster Richard) recently spent a day working our way through some rather incomplete and arcane documentation from a large software vendor trying to determine how they required SSL to be implemented between both the seperate elements of their product and the endpoint clients.
Between poor documentation, requiring OpenSSL & Java KeyStore/keytool and the software not trusting common 3rd-party CAs (such as Verisign), it was a long and frustrating experience. And that was for two guys with a reasonable understanding of PKI. For a developer or sysadmin who was new to security or unsure about PKI in general it would have been a nightmare.
The knowledgebase for the product was not much better, leaving me with little doubt that while many people may understand the need for security, the 'how' can be sorely lacking - and is not helped when the software developer/vendor (or integrator) seems to have little grasp of security themselves - or a disinclination to explain the details to their customers.
It reminds me a little of a UNIX sysadmin I worked with many years ago, before I was full-time in IT, who was so secretive about the system and how it worked he had three assistants quit in 12 months out of frustration. Was it secretive paranoia or simply keeping the 'knowledge' to himself as a power trip? (personally I suspect the latter...)
While there are always elements of security and IT in general that require secrecy, the how is not one of them. Explaining how to implement security so even a home user (or my Mom!*) can easily understand it and follow the steps is a good thing.
*Actually my Mom isn't too bad with her PC!
