What is the OWASP Top 10 Vulnerabilities list?
First issued in 2004 by the Open Web Application Security Project, the now-famous OWASP Top 10 Vulnerabilities list (included at the bottom of the article) is probably the closest that the development community has ever come to a set of commandments on how to keep their products secure.
This list represents the most relevant threats to software security today according to OWASP, to the forehead-smacking of many who wonder how SQL injections are still such a concern after all these years. They judge vulnerability types based on four criteria points: ease of exploitability, prevalences, detectability, and business impact. Interestingly enough, OWASP states that they do not actually factor into their equation the likelihood that attackers will try to exploit a certain vulnerability.
When it began, the writers decided that the best way to cover the most ground was to put similar vulnerabilities that they believed to be the most concerning into groupings. They recognized that lacking the proper statistics there could always be a question over which vulnerabilities were necessarily the top worries, especially as this can be a subjective questions as per each organization’s threat model.
However after much debate, they offered their list of what they believed to address the widest set of organizations, albeit not in any particularly order.
With time, the OWASP Top 10 Vulnerabilities list was adopted as a standard for best practices and requirements by numerous organizations, setting a standard in a sense for development. One well known adopter of the list is the payment processing standards of PCI-DSS.
Unfortunately, as the OWASP Top 10 Vulnerabilities list has reached a wider audience, its real intentions as a guide have been misinterpreted, hurting developers (Read more...)
*** This is a Security Bloggers Network syndicated blog from Blog – WhiteSource authored by Gabriel Avner. Read the original post at: https://resources.whitesourcesoftware.com/blog-whitesource/owasp-top-10-vulnerabilities