OWASP Top 10 2007
3
INTRODUCTION
Welcome to the OWASP Top 10 2007! This totally re-written edition lists the most serious web application
vulnerabilities, discusses how to protect against them, and provides links to more information.
AIM
The primary aim of the OWASP Top 10 is to educate developers, designers, architects and organizations about
the consequences of the most common web application security vulnerabilities. The Top 10 provides basic
methods to protect against these vulnerabilities – a great start to your secure coding security program.
Security is not a one-time event. It is insufficient to secure your code just once. By 2008, this Top 10 will have
changed, and without changing a line of your application’s code, you may be vulnerable. Please review the advice
in Where to go from here for more information.
A secure coding initiative must deal with all stages of a program’s lifecycle. Secure web applications are only
possible when a secure SDLC is used. Secure programs are secure by design, during development, and by default.
There are at least 300 issues that affect the overall security of a web application. These 300+ issues are detailed in
the OWASP Guide, which is essential reading for anyone developing web applications today.
This document is first and foremost an education piece, not a standard. Please do not adopt this document as a
policy or standard without talking to us first! If you need a secure coding policy or standard, OWASP has secure
coding policies and standards projects in progress. Please consider joining or financially assisting with these efforts.
ACKNOWLEDGEMENTS
We thank MITRE for making Vulnerability Type Distribution in CVE data freely
available for use. The OWASP Top Ten project is led and sponsored by Aspect Security.
Project Lead: Andrew van der Stock (Executive Director, OWASP Foundation)
Co-authors: Jeff Williams (Chair, OWASP Foundation), Dave Wichers (Conference Chair, OWASP Foundation)
We’d like to thank our reviewers:
Raoul Endres for help in getting the Top 10 going again and with his valuable comments
Steve Christey (MITRE) for an extensive peer review and adding the MITRE CWE data
Jeremiah Grossman (White Hat Security) for peer reviewing and contributing information about the
success (or otherwise) of automated means of detection
Sylvan von Stuppe for an exemplary peer review
Colin Wong, Nigel Evans, Andre Gironda, Neil Smithline for e-mailed comments
评论1
最新资源