On April 19, 2010 OWASP released the final version of the world renowned Top 10 list. While the updates are not a surprise given the lengthy discussions and feedback that this updated list received it will have an impact on organizations worldwide. In the world of payment card transaction security the standard directly states under section 6.5 to rely upon the current version of OWASP Top 10 for meeting the web application safeguards requirement.
Beyond PCI DSS there are other industry standards and organization practices that rely upon baselines, such as OWASP, to focus security efforts.
Organizations should take this opportunity to…
- Evaluate their Information Technology governance programs,
- Change Control,
- Secure Coding training,
- Secure Code testing,
- Attack detection/prevention technologies
…to ensure these risks are incorporated and operate effectively.
The 2010 OWASP Top 10 include:
- A1: Injection
- A2: Cross-Site Scripting (XSS)
- A3: Broken Authentication and Session Management
- A4: Insecure Direct Object References
- A5: Cross-Site Request Forgery (CSRF)
- A6: Security Misconfiguration
- A7: Insecure Cryptographic Storage
- A8: Failure to Restrict URL Access
- A9: Insufficient Transport Layer Protection
- A10: Unvalidated Redirects and Forwards
Please visit OWASP to take find more tools and great discussions on web application security. Contributors are always welcome and there are chapters around the world.