Late today (Friday) a preliminary update to the OWASP 10 for 2010 was released (
click here). As most of you know, PCI compliance requires (among a bunch of other things...) that all custom code be reviewed so as not to be vulnerable to these exploits.
There are some changes in ranking. A couple of new candidates are on this preliminary list:
- Security misconfiguration (in the #6 slot) had appeared in the 2004 list, but was dropped in 2007; and
- Unvalidated redirects and forwards (#8) which is new to the list.
The latter is relatively unknown and can cause significant damage.
The two that were dropped are:
- Malicious file execution (was #3) which is less prevalent today; and
- Information leakage and improper error handling (was #6) which while still common has less impact.
The proposed list is open to comment through December, and we can expect it to be finalized in January 2010. The timing is particularly opportune as the revision to the Top 10 comes in time to be reflected in the upcoming PCI DSS release this fall.
No comments:
Post a Comment