Welcome to the OWASP Top 10 2010! This significant update presents a more concise,risk focused list of the
Top 10 MostCritical Web Application Security Risks
. The OWASP Top 10 has always been about risk, but this update makes this much moreclear than previous editions. It also provides additional information on how to assess these risks for your applications.For each item in the top 10, this release discusses the general likelihood and consequence factors that are used to categorize thetypical severity of the risk. It then presents guidance on how to verify whether you have problems in this area, how to avoidthem, some example flaws, and pointers to links with more information.The primary aim of the OWASP Top 10 is to educate developers, designers, architects, managers, and organizations about theconsequences of the most important web application security weaknesses. The Top 10 provides basic techniques to protectagainst these high risk problem areas
and also provides guidance on where to go from here.
Don’t stop at 10
. There are hundreds of issues that couldaffect the overall security of a web application as discussed inthe
. This isessential reading foranyone developing web applications today. Guidance on howto effectively find vulnerabilities in web applications areprovided in theOWASP Testing GuideandOWASP Code
Review Guide, which have both been significantly updatedsince the previous release of the OWASP Top 10.
. This Top 10 will continue to change.Even
without changing a single line of your application’s code, you
may already be vulnerable to something nobody everthought of before. Please review the advice at the end of the
Top 10 in “
hat’s Next For Developers, Verifiers, and
for more information.
When you’re ready to stop chasing
Use tools wisely
. Securityvulnerabilities can be quitecomplex and buried in mountains of code. In virtually allcases, the most cost-effective approach for finding andeliminating these weaknesses is human experts armed withgood tools.
Thanks toAspect Securityfor initiating, leading, and updatingthe OWASP Top 10 since its inception in 2003, and to itsprimary authors: Jeff Williams and Dave Wichers.
We’d like to thank those organizations that
contributed theirvulnerability prevalence data to support the 2010 update:
We’d also like to thank those
who have contributed significantcontent or time reviewing this update of the Top 10:
Mike Boberski(Booz Allen Hamilton)
Juan Carlos Calderon (Softtek)
MichaelCoates (Aspect Security)
Jeremiah Grossman (WhiteHatSecurity Inc.)
Jim Manico (forall the Top 10 podcasts)
Paul Petefish (SolutionaryInc.)
Eric Sheridan (Aspect Security)
Neil Smithline (OneStopAppSecurity.com)
Andrew van derStock
Colin Watson (Watson Hall, Ltd.)
OWASP Denmark Chapter (Led by Ulf Munkedal)
OWASP Sweden Chapter(Led by John Wilander)