New and Improved OWASP Top 10 and its effects on PCI & IT Controls

On April 19, 2010 OWASP released the final version of the world renowned Top 10 list.  While the updates are not a surprise given the lengthy discussions and feedback that this updated list received it will have an impact on organizations worldwide.  In the world of payment card transaction security the standard directly states under section 6.5 to rely upon the current version of OWASP Top 10 for meeting the web application safeguards requirement.

Beyond PCI DSS there are other industry standards and organization practices that rely upon baselines, such as OWASP, to focus security efforts.
Organizations should take this opportunity to…

  1. Evaluate their Information Technology governance programs,
  2. SDLC,
  3. Change Control,
  4. Secure Coding training,
  5. Secure Code testing,
  6. Attack detection/prevention technologies

…to ensure these risks are incorporated and operate effectively.

The 2010 OWASP Top 10 include:

  • A1: Injection
  • A2: Cross-Site Scripting (XSS)
  • A3: Broken Authentication and Session Management
  • A4: Insecure Direct Object References
  • A5: Cross-Site Request Forgery (CSRF)
  • A6: Security Misconfiguration
  • A7: Insecure Cryptographic Storage
  • A8: Failure to Restrict URL Access
  • A9: Insufficient Transport Layer Protection
  • A10: Unvalidated Redirects and Forwards

Please visit OWASP to take find more tools and great discussions on web application security.  Contributors are always welcome and there are chapters around the world.

Here is a link to PCI DSS
Here is a link to the OWASP Top 10 PDF


James DeLuccia


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s