| |||
|
|
||
|
|||
| |
|
Home > Security News > Top Web application security problems identified |
| |
|
|
|
|
| Security News: |
|
||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||
Following a format similar to that of the annual SANS/FBI list of system vulnerabilities, the Open Web Application Security Project (OWASP) released today its list of the top 10 most critical Web application security problems. Admittedly, the list hardly reveals anything earth shattering. A release from OWASP points out that most of the security issues are not new, but in many cases they have not yet been addressed by developers. Programming flaws are prominent on the list, unlike the SANS list which was dominated by configuration woes. "Web application code has so much power that it can access the database and the backend stuff, it's not enough to configure your box well, you have to look at the code," said Jeff Williams, one of the project leaders and CEO of Aspect Security, a Columbia, Maryland-based application security vendor. "That's where all the power is." In an OWASP explainer, the organization said it deliberated over its interpretation of Web application security. The group weighed arguments about whether it should limit its list to vulnerabilities that impact only developers writing custom code or whether it should use a broader definition that would include the entire application layer, including libraries, server configuration and application layer protocols. In the end, OWASP went with a wide interpretation but decided against examining network and infrastructure security issues. "With network security, the problem is that most companies are using the same components in their infrastructure. So, of there is a vulnerability, likely they are all impacted," Williams said. "That's not so with Web application code where coding is all customized. If we were to do a real examination of the top vulnerabilities, they would not apply to everybody. I think the categories of flaws we chose is very relevant." Williams pointed out as examples that cross-site scripting and unvalidated parameters flaws, both on the OWASP list, plague a huge percentage of Web sites. "The process of coming up with these categories involved talking to lots of experts and examining what we see frequently and narrow it down to this list," Williams said. "There are going to be arguments and that's part of the purpose of this exercise. If there are arguments, then we've raised awareness." The list includes:
OWASP is a volunteer-driven open-source project that is working on software tools and documentation that focus on secure Web applications and Web services. Its work is released under the GNU public licenses. Leaders said they would update this list every six months. FOR MORE INFORMATION: SearchSecurity.com news exclusive: "Security Decisions: Applications are the new network" Best Web Links on securing your platforms
|
|
|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
|
|||||||||||||||||||||||||
|
|||||||||||||||||||||||||||
| |||||||||||||||||||||||||||
|
|
|
|||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||
