Today we have a guest post from Qualys Security Research Engineer Michael Shema.
The Open Web Application Security Project (OWASP) has updated its Top 10 list of Web Application Security Risks for 2010. The new list reflects a better understanding of how web applications are most commonly being attacked – or at least the most common risks discovered by security professionals. It’s important for organizations to understand that the list is a risk-based selection of web app vulns. For example, security misconfigurations (A6) appeared in the 2004 version, was dropped in 2007, and re-appears now in 2010. Also, malicious file execution (A3 from the 2007 version) was dropped because the main culprit, poorly configured and written PHP apps, can benefit from improvements to the default PHP settings. However, this doesn’t mean those problems have gone away. If you haven’t upgraded your PHP installation, then your site is still highly vulnerable.
It’s still important for web site owners to keep track of the OWASP Top 10 in order to understand how threats evolve. CRSF didn’t appear on the list in 2004, but apps have been vulnerable to it since 2000 and earlier (it takes advantage of a fundamental nature of HTML and HTTP). It’s just that CSRF attacks weren’t well defined or widely understood before the list could be updated in 2007.
Also keep in mind the Top 10 list is primarily for web site owners to understand how to improve their site’s security and to know what types of attacks seem most prolific. Some of the items, like XSS and CSRF also target the web browser. As a visitor to a possibly insecure web site, it’s fortunately still possible to apply some defenses in the browser, whether simply keeping the browser and its plug-ins up to date or using a security plug-in like NoScript.
And while developers scour their sites for risks associated with this Top 10 list, web users need to be aware of the prevalence of malware. Malware isn’t actually an attack against the web site; the attacker needs to use some other vulnerability in order to sneak malicious code onto a web page. However, malware is still a significant concern for users how are trying to keep their personal information secure.