What's New in the OWASP Top 10 for 2013
By Troy Hunt
Course info
Course info
Description
The Top 10 Web application security risks produced by OWASP is an evolving resource that helps organizations focus on the most prominent risks in web security today. Every few years we see a revision; the types of attacks we’re witnessing change, the defenses change, and the risk and associated priority changes. OWASP adapts to this changing environment and recently made available the 2013 edition of the Top 10. This course is designed to help those who already have an awareness of the Top 10 understand what’s new in the latest edition and how the landscape has changed in three short years. It also introduces the concept of "Risk Assessments" and provides further resources to help go beyond just the Top 10 risks.
About the author
Troy Hunt is a Microsoft Regional Director and MVP for Developer Security. He's a regular conference speaker, frequent blogger at troyhunt.com and is the creator of the data breach notification service known as “Have I Been Pwned”.
More from the author
Section Introduction Transcripts
Understanding the Risk Assessment
In this module, I'd like to talk about risk assessments, and it's important to understand what risk assessments are in part to give some insight into how OWASP has structured their document, but also because they�re extremely useful in your everyday software development. And we're going to take a really good look at how you can do your own risk assessments and then how OWASP has done theirs in order to arrive at the Top 10 ranking. So here's what I want to cover in this module, and I want to start out by explaining where OWASP gets its data from, because it is quantifiable, measureable data that helps them arrive at this Top 10. So that's really important. We're also going to talk about what a risk really is. A risk is not an exploit, and the semantic difference between those two is quite important for understanding how this document really works. We're also going to take a look at the OWASP Risk Rating Methodology. There is actually a formal OWASP methodology, which is what we're going to walk through in this module, and this is the one that's really useful for doing your own risk assessments. Now once we've got to grips with how this Risk Rating Methodology works, we'll run through how OWASP applies it to this document, because they actually vary the risk assessment in order to create a piece of very generic material. Let's jump in and take a look at where this data is coming from.
What's Changed in the Top 10
Now that we've gone and taken a look at just how much stuff has happened in the information security area in the three years preceding this release of the Top 10, and we've gone through and had a really good look at how OWASP does risk assessments and how they've applied them to the Top 10 document, let's move on and look at what has actually changed for 2013. What I'd like to do is go through each of the Top 10 and we'll spend a few minutes on each one and have a look at either why nothing has changed, because that's a story in and of itself, why a risk has been consolidated, why it's been expanded, or why it has been reprioritized. And again, for each one of these changes, there's a good background reason that reflects changes in the environment, and it's worthwhile understanding what those are if you want to stay abreast of the real risks in web security in the modern day. So let's jump in and take a look at those Top 10 for 2013.