OWASP Identifies Ten Most Critical Web Application Security Vulnerabilities

The following press release will go out at 10 AM Monday morning. I'm thrilled that the OWASP has produced this document and I expect it to have a major impact on the way people think about web applications and security. Thanks to all those who participate in OWASP!

FOR IMMEDIATE RELEASE OWASP Identifies Ten Most Critical Web Application Security Vulnerabilities

Washington, D.C. -- A new report detailing the ten most critical web application security problems was unveiled today by the Open Web Application Security Project. OWASP is dedicated to helping organizations understand and improve the security of their web applications and web services. Download the report from the OWASP website at http://www.owasp.org.

"The OWASP Top Ten list shines a spotlight directly on one of the most
serious and often overlooked risks facing government and commercial organizations," said Jeffrey Williams, CEO of web application security firm Aspect Security. "A stunning number of organizations spend big bucks securing the network and somehow forget about the applications."

These flaws are surprisingly common and can be exploited by unsophisticated attackers with easily available tools. When an organization deploys a web application, they invite the world to send HTTP requests. Attacks buried in these requests sail past firewalls, filters, platform hardening, SSL, and IDS without notice because they are inside legal HTTP requests. Therefore, web application code is part of the security perimeter and cannot be ignored.

"This list is an important development for consumers and vendors alike,"
said Stephen Christey, Mitre CVE editor. "It will educate vendors to avoid the same mistakes that have been repeated countless times in other web applications. But it also gives consumers a way of asking vendors to follow a minimum set of expectations for web application security and, just as importantly, to identify which vendors are not living up to those expectations"

"This 'Ten-Most-Wanting' List acutely scratches at the tip of an enormous
iceberg," said Peter G. Neumann, moderator of the ACM Risks Forum. "The underlying reality is shameful: most system and Web application software is written oblivious to security principles, software engineering, operational implications, and indeed common sense."

The Open Web Application Security Project (OWASP) is an Open Source community project staffed entirely by volunteer experts from across the world. Project chair Mark Curphey said, "the OWASP Top Ten Project was formed to capture our collective wisdom and present it in a way that would bring the attention web application security deserves."

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Questions or comments about the OWASP Top Ten should be sent to: topten@owasp.org

Contacts:
Mark Curphey, mark@curphey.com
Jeffrey Williams, jeff.williams@aspectsecurity.com http://www.owasp.org

--Jeff

Jeff Williams, CEO
jeff.williams@aspectsecurity.com
Aspect Security, Inc.
"The Web Application Security Specialists"
www.aspectsecurity.com Received on Mon Jan 13 01:34:48 2003