OWASP Identifies Ten Most Critical Web Application Security Vulnerabilities

["Jeff Williams @ Aspect" <jeff.williams () aspectsecurity com>]

The following press release will go out at 10 AM Monday morning. I'm
thrilled that the OWASP has produced this document and I expect it to have
a major impact on the way people think about web applications and
security. Thanks to all those who participate in OWASP!



FOR IMMEDIATE RELEASE

OWASP Identifies Ten Most Critical Web Application Security
Vulnerabilities

Washington, D.C. -- A new report detailing the ten most critical web
application security problems was unveiled today by the Open Web
Application Security Project. OWASP is dedicated to helping organizations
understand and improve the security of their web applications and web
services. Download the report from the OWASP website at
http://www.owasp.org.

"The OWASP Top Ten list shines a spotlight directly on one of the most
serious and often overlooked risks facing government and commercial
organizations," said Jeffrey Williams, CEO of web application security
firm Aspect Security. "A stunning number of organizations spend big bucks
securing the network and somehow forget about the applications."

These flaws are surprisingly common and can be exploited by
unsophisticated attackers with easily available tools. When an
organization deploys a web application, they invite the world to send HTTP
requests. Attacks buried in these requests sail past firewalls, filters,
platform hardening, SSL, and IDS without notice because they are inside
legal HTTP requests. Therefore, web application code is part of the
security perimeter and cannot be ignored.

"This list is an important development for consumers and vendors alike,"
said Stephen Christey, Mitre CVE editor. "It will educate vendors to avoid
the same mistakes that have been repeated countless times in other web
applications. But it also gives consumers a way of asking vendors to
follow a minimum set of expectations for web application security and,
just as importantly, to identify which vendors are not living up to those
expectations"

"This 'Ten-Most-Wanting' List acutely scratches at the tip of an enormous
iceberg," said Peter G. Neumann, moderator of the ACM Risks Forum. "The
underlying reality is shameful: most system and Web application software
is written oblivious to security principles, software engineering,
operational implications, and indeed common sense."

The Open Web Application Security Project (OWASP) is an Open Source
community project staffed entirely by volunteer experts from across the
world. Project chair Mark Curphey said, "the OWASP Top Ten Project was
formed to capture our collective wisdom and present it in a way that would
bring the attention web application security deserves."

Questions or comments about the OWASP Top Ten should be sent to:
topten () owasp org

Contacts:
Mark Curphey, mark () curphey com
Jeffrey Williams, jeff.williams () aspectsecurity com
http://www.owasp.org




--Jeff

Jeff Williams, CEO
jeff.williams () aspectsecurity com
Aspect Security, Inc.
"The Web Application Security Specialists"
www.aspectsecurity.com