|
|
| Applications |
| Mailing Lists |
| Miscellaneous |
| Operating Systems |
| Programming |
Re: OWASP Identifies Ten Most Critical Web Application Security Vulnerabilities
Date: Sat Jan 18 2003 - 00:14:52 EST
Here's a short guide that gives guidance on how to avoid making the top
ten flaws in PHP programs.
http://www.sklar.com/page/article/owasp-top-ten
--Jeff
Jeff Williams, CEO
Aspect Security, Inc.
"The Web Application Specialists"
www.aspectsecurity.com
- Original Message ----- From: Jeff Williams @ Aspect To: webappsec@securityfocus.com Sent: Sunday, January 12, 2003 11:32 PM Subject: OWASP Identifies Ten Most Critical Web Application Security Vulnerabilities
The following press release will go out at 10 AM Monday morning. I'm
thrilled that the OWASP has produced this document and I expect it to
have
a major impact on the way people think about web applications and
security. Thanks to all those who participate in OWASP!
FOR IMMEDIATE RELEASE OWASP Identifies Ten Most Critical Web Application Security Vulnerabilities
Washington, D.C. -- A new report detailing the ten most critical web
application security problems was unveiled today by the Open Web
Application Security Project. OWASP is dedicated to helping
organizations
understand and improve the security of their web applications and web
services. Download the report from the OWASP website at
http://www.owasp.org.
"The OWASP Top Ten list shines a spotlight directly on one of the most
serious and often overlooked risks facing government and commercial
organizations," said Jeffrey Williams, CEO of web application security
firm Aspect Security. "A stunning number of organizations spend big
bucks
securing the network and somehow forget about the applications."
These flaws are surprisingly common and can be exploited by
unsophisticated attackers with easily available tools. When an
organization deploys a web application, they invite the world to send
HTTP
requests. Attacks buried in these requests sail past firewalls, filters,
platform hardening, SSL, and IDS without notice because they are inside
legal HTTP requests. Therefore, web application code is part of the
security perimeter and cannot be ignored.
"This list is an important development for consumers and vendors alike,"
said Stephen Christey, Mitre CVE editor. "It will educate vendors to
avoid
the same mistakes that have been repeated countless times in other web
applications. But it also gives consumers a way of asking vendors to
follow a minimum set of expectations for web application security and,
just as importantly, to identify which vendors are not living up to
those
expectations"
"This 'Ten-Most-Wanting' List acutely scratches at the tip of an
enormous
iceberg," said Peter G. Neumann, moderator of the ACM Risks Forum. "The
underlying reality is shameful: most system and Web application software
is written oblivious to security principles, software engineering,
operational implications, and indeed common sense."
The Open Web Application Security Project (OWASP) is an Open Source
community project staffed entirely by volunteer experts from across the
world. Project chair Mark Curphey said, "the OWASP Top Ten Project was
formed to capture our collective wisdom and present it in a way that
would
bring the attention web application security deserves."
Questions or comments about the OWASP Top Ten should be sent to: topten@owasp.org
Contacts:
Mark Curphey, mark@curphey.com
Jeffrey Williams, jeff.williams@aspectsecurity.com
http://www.owasp.org
--Jeff
Jeff Williams, CEO
jeff.williams@aspectsecurity.com
Aspect Security, Inc.
"The Web Application Security Specialists"
www.aspectsecurity.com
Received on Mon Jan 20 18:05:13 2003
This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:47 EDT
|
Contact Us Legal Notices Order Services Online Pantek Home Privacy Policy IT news Site Map Pantek Library |