The Top 10 risks for web developers in 2010 are:
- Cross-Site Scripting (XSS)
- Broken Authentication and Session Management
- Insecure Direct Object References
- Cross-Site Request Forgery (CSRF)
- Security Misconfiguration
- Insecure Cryptographic Storage
- Failure to Restrict URL Access
- Insufficient Transport Layer Protection
- Unvalidated Redirects and Forwards
Dave Wichers, OWASP Board member and COO of Aspect Security, has managed the project since its inception. "This year we have revamped the Top 10 to make it clear that we are talking about risks, not just vulnerabilities. Attempts to prioritize vulnerabilities without context just don't make sense. You can't make proper business decisions without understanding the threat and impact to your business." This new focus on risks is intended to lead organizations to more mature understanding and management of application security across their organization.
The 2010 update is based on more sources of web application vulnerability information than the previous versions were when determining the new Top 10. It also presents this information in a more concise manner, and includes strong references to the many new openly available resources that can help address each issue, particularly OWASP's new Enterprise Security API (ESAPI) and Application Security Verification Standard (ASVS) projects.