SlideShare a Scribd company logo

12 owasp top 10 - introduction

A
appsec

The document summarizes the OWASP Top 10 list of the most critical web application security risks. It describes how the 2013 edition was developed, including using more vulnerability data sources and earlier community involvement. The top risks were reordered and some were merged or broadened based on the OWASP risk rating methodology. Two risks from the 2010 list were merged into one in 2013, and one new risk was added around use of known vulnerable components.

Technology
1 of 7
1
2
3
4
5
6
7
OWASP Top-10 2013 The Top 10 Most Critical Web Application Security Risks https://www.owasp.org/index.php/Top_10_2013-Top_10
About the OWASP Top 10 • Not a standard… OWASP Top 10 is an Awareness Document • Was probably 3rd or 4th OWASP project First developed in 2003 • 2003, 2004, 2007, 2010, 2013 Released
OWASP Top Ten (2013 Edition)
What Didn’t Change • Title is: “The Top 10 Most Critical Web Application Security Risks” It’s About Risks, Not Just Vulnerabilities • Based on the OWASP Risk Rating Methodology, used to prioritize Top 10 OWASP Top 10 Risk Rating Methodology
OWASP Top 10 Risk Rating Methodology Threat Agent Attack Vector Weakness Prevalence Weakness Detectability Technical Impact Business Impact ? Easy Widespread Easy Severe ?Average Common Average Moderate Difficult Uncommon Difficult Minor 1 2 3
What’s Changed? • Reordered: 7 • Added: 1 • Merged: 2 merged into 1 • Broadened: 1 Risks Added, Risks Merged, Risks Reordered • Same as 2010, but • Used more sources of vulnerability data • All vulnerability data made public by each provider Development Methodology For 2013 • More transparency • Requested vulnerability data format • Earlier community involvement Development Methodology for Next Version?
Mapping from 2010 to 2013 Top 10 OWASP Top 10 – 2010 (old) OWASP Top 10 – 2013 (New) 2010-A1 – Injection 2013-A1 – Injection 2010-A2 – Cross Site Scripting (XSS) 2013-A2 – Broken Authentication and Session Management 2010-A3 – Broken Authentication and Session Management 2013-A3 – Cross Site Scripting (XSS) 2010-A4 – Insecure Direct Object References 2013-A4 – Insecure Direct Object References 2010-A5 – Cross Site Request Forgery (CSRF) 2013-A5 – Security Misconfiguration 2010-A6 – Security Misconfiguration 2013-A6 – Sensitive Data Exposure 2010-A7 – Insecure Cryptographic Storage 2013-A7 – Missing Function Level Access Control 2010-A8 – Failure to Restrict URL Access 2013-A8 – Cross-Site Request Forgery (CSRF) 2010-A9 – Insufficient Transport Layer Protection 2013-A9 – Using Known Vulnerable Components (NEW) 2010-A10 – Unvalidated Redirects and Forwards (NEW) 2013-A10 – Unvalidated Redirects and Forwards 3 Primary Changes:  Merged: 2010-A7 and 2010-A9 -> 2013-A6  Added New 2013-A9: Using Known Vulnerable Components  2010-A8 broadened to 2013-A7

More Related Content

PDF
OWASP top10 2017, Montpellier JUG de Noel
Hubert Gregoire
 
PPTX
Hack your site before someone else does it
Taras Romanyk
 
PDF
Owasp and friends
Mažvydas Skuodas
 
PDF
Appsec training gme
Salil Kumar Subramony
 
PDF
OWASP TOP TEN 2017 RC1
Chema Alonso
 
PPTX
Pitfalls of top n lists 6 28-2017
Synopsys Software Integrity Group
 
PDF
SARCON Talk - Vandana Verma Sehgal
Vandana Verma
 
PPTX
23 owasp top 10 - resources
appsec
 
OWASP top10 2017, Montpellier JUG de Noel
Hubert Gregoire
 
Hack your site before someone else does it
Taras Romanyk
 
Owasp and friends
Mažvydas Skuodas
 
Appsec training gme
Salil Kumar Subramony
 
OWASP TOP TEN 2017 RC1
Chema Alonso
 
Pitfalls of top n lists 6 28-2017
Synopsys Software Integrity Group
 
SARCON Talk - Vandana Verma Sehgal
Vandana Verma
 
23 owasp top 10 - resources
appsec
 

Similar to 12 owasp top 10 - introduction (20)

PDF
Owasp qatar presentation top 10 changes 2013 - Tarun Gupta
OWASP-Qatar Chapter
 
PDF
OWASP Top Ten 2013
Alessandro Bonu
 
PDF
Owasp top 10 2013
Aryan G
 
PDF
Owasp top 10_-_2013
Edho Armando
 
PDF
Owasp top 10 2013
Bee_Ware
 
PDF
Owasp top 10
Pensamiento Libre
 
PDF
529 owasp top 10 2013 - rc1[1]
geeksec80
 
PDF
529 owasp top 10 2013 - rc1[1]
geeksec0306
 
PDF
Owasp Top 10
Shivam Porwal
 
PPT
OWASP Top Ten
Christian Heinrich
 
PDF
Top 10 web application security risks akash mahajan
Akash Mahajan
 
PPTX
In that case, we have an OWASP Top 10 opportunity...
Josh Grossman
 
PPTX
Owasp top 10_-_2010 presentation
Islam Azeddine Mennouchi
 
PDF
Ofer Maor - OWASP Top 10
CSAIsrael
 
DOCX
OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docx
gerardkortney
 
PDF
Owasp top 10 2017 (en)
PrashantDhakol
 
PDF
OWASP_Top_10-2017_(en).pdf.pdf
SamSepiolRhodes
 
PDF
Owasp top 10-2017
malvvv
 
PPTX
OWASP -Top 5 Jagjit
Jagjit Singh Brar
 
PDF
Owasp top 10 2013 - rc1
Ajay Ohri
 
Owasp qatar presentation top 10 changes 2013 - Tarun Gupta
OWASP-Qatar Chapter
 
OWASP Top Ten 2013
Alessandro Bonu
 
Owasp top 10 2013
Aryan G
 
Owasp top 10_-_2013
Edho Armando
 
Owasp top 10 2013
Bee_Ware
 
Owasp top 10
Pensamiento Libre
 
529 owasp top 10 2013 - rc1[1]
geeksec80
 
529 owasp top 10 2013 - rc1[1]
geeksec0306
 
Owasp Top 10
Shivam Porwal
 
OWASP Top Ten
Christian Heinrich
 
Top 10 web application security risks akash mahajan
Akash Mahajan
 
In that case, we have an OWASP Top 10 opportunity...
Josh Grossman
 
Owasp top 10_-_2010 presentation
Islam Azeddine Mennouchi
 
Ofer Maor - OWASP Top 10
CSAIsrael
 
OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docx
gerardkortney
 
Owasp top 10 2017 (en)
PrashantDhakol
 
OWASP_Top_10-2017_(en).pdf.pdf
SamSepiolRhodes
 
Owasp top 10-2017
malvvv
 
OWASP -Top 5 Jagjit
Jagjit Singh Brar
 
Owasp top 10 2013 - rc1
Ajay Ohri
 
Ad

More from appsec (11)

PPTX
15 owasp top 10 - a3-xss
appsec
 
PPTX
10 application security fundamentals - part 2 - security mechanisms - encry...
appsec
 
PPTX
11 application security fundamentals - part 2 - security mechanisms - summary
appsec
 
PPTX
09 application security fundamentals - part 2 - security mechanisms - logging
appsec
 
PPTX
08 application security fundamentals - part 2 - security mechanisms - error...
appsec
 
PPTX
06 application security fundamentals - part 2 - security mechanisms - sessi...
appsec
 
PPTX
07 application security fundamentals - part 2 - security mechanisms - data ...
appsec
 
PPTX
04 application security fundamentals - part 2 - security mechanisms - authe...
appsec
 
PPTX
05 application security fundamentals - part 2 - security mechanisms - autho...
appsec
 
PPTX
02 application security fundamentals - part 1 - security priciples
appsec
 
PPTX
01 Application Security Fundamentals - part 1 - introduction and goals
appsec
 
15 owasp top 10 - a3-xss
appsec
 
10 application security fundamentals - part 2 - security mechanisms - encry...
appsec
 
11 application security fundamentals - part 2 - security mechanisms - summary
appsec
 
09 application security fundamentals - part 2 - security mechanisms - logging
appsec
 
08 application security fundamentals - part 2 - security mechanisms - error...
appsec
 
06 application security fundamentals - part 2 - security mechanisms - sessi...
appsec
 
07 application security fundamentals - part 2 - security mechanisms - data ...
appsec
 
04 application security fundamentals - part 2 - security mechanisms - authe...
appsec
 
05 application security fundamentals - part 2 - security mechanisms - autho...
appsec
 
02 application security fundamentals - part 1 - security priciples
appsec
 
01 Application Security Fundamentals - part 1 - introduction and goals
appsec
 
Ad

Recently uploaded (20)

DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Encapsulation theory and applications.pdf
gurumoop
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Cloud computing and distributed systems.
kkkkkhan
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Approach and Philosophy of On baking technology
30anthuong17
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 

12 owasp top 10 - introduction

  • 1. OWASP Top-10 2013 The Top 10 Most Critical Web Application Security Risks https://www.owasp.org/index.php/Top_10_2013-Top_10
  • 2. About the OWASP Top 10 • Not a standard… OWASP Top 10 is an Awareness Document • Was probably 3rd or 4th OWASP project First developed in 2003 • 2003, 2004, 2007, 2010, 2013 Released
  • 3. OWASP Top Ten (2013 Edition)
  • 4. What Didn’t Change • Title is: “The Top 10 Most Critical Web Application Security Risks” It’s About Risks, Not Just Vulnerabilities • Based on the OWASP Risk Rating Methodology, used to prioritize Top 10 OWASP Top 10 Risk Rating Methodology
  • 5. OWASP Top 10 Risk Rating Methodology Threat Agent Attack Vector Weakness Prevalence Weakness Detectability Technical Impact Business Impact ? Easy Widespread Easy Severe ?Average Common Average Moderate Difficult Uncommon Difficult Minor 1 2 3
  • 6. What’s Changed? • Reordered: 7 • Added: 1 • Merged: 2 merged into 1 • Broadened: 1 Risks Added, Risks Merged, Risks Reordered • Same as 2010, but • Used more sources of vulnerability data • All vulnerability data made public by each provider Development Methodology For 2013 • More transparency • Requested vulnerability data format • Earlier community involvement Development Methodology for Next Version?
  • 7. Mapping from 2010 to 2013 Top 10 OWASP Top 10 – 2010 (old) OWASP Top 10 – 2013 (New) 2010-A1 – Injection 2013-A1 – Injection 2010-A2 – Cross Site Scripting (XSS) 2013-A2 – Broken Authentication and Session Management 2010-A3 – Broken Authentication and Session Management 2013-A3 – Cross Site Scripting (XSS) 2010-A4 – Insecure Direct Object References 2013-A4 – Insecure Direct Object References 2010-A5 – Cross Site Request Forgery (CSRF) 2013-A5 – Security Misconfiguration 2010-A6 – Security Misconfiguration 2013-A6 – Sensitive Data Exposure 2010-A7 – Insecure Cryptographic Storage 2013-A7 – Missing Function Level Access Control 2010-A8 – Failure to Restrict URL Access 2013-A8 – Cross-Site Request Forgery (CSRF) 2010-A9 – Insufficient Transport Layer Protection 2013-A9 – Using Known Vulnerable Components (NEW) 2010-A10 – Unvalidated Redirects and Forwards (NEW) 2013-A10 – Unvalidated Redirects and Forwards 3 Primary Changes:  Merged: 2010-A7 and 2010-A9 -> 2013-A6  Added New 2013-A9: Using Known Vulnerable Components  2010-A8 broadened to 2013-A7