Insecure software is already undermining our financial,
healthcare, defense, energy, and other critical infrastructure.
As our digital infrastructure gets increasingly complex and
interconnected, the difficulty of achieving application
security increases exponentially. We can no longer afford to
tolerate relatively simple security problems like those
presented in the OWASP Top 10.
The goal of the Top 10 project is to raise awareness about
application security by identifying some of the most critical
risks facing organizations. The Top 10 project is referenced
by many standards, books, tools, and organizations, including
MITRE, PCI DSS, DISA, FTC, and many more. This release of
the OWASP Top 10 marks this project’s eighth year of raising
awareness of the importance of application security risks.
The OWASP Top 10 was first released in 2003, minor updates
were made in 2004 and 2007, and this is the 2010 release.
We encourage you to use the Top 10 to get your organization
started with application security. Developers can learn from
the mistakes of other organizations. Executives should start
thinking about how to manage the risk that software
applications create in their enterprise.
But the Top 10 is not an application security program. Going
forward, OWASP recommends that organizations establish a
strong foundation of training, standards, and tools that
makes secure coding possible. On top of that foundation,
organizations should integrate security into their
development, verification, and maintenance processes.
Management can use the data generated by these activities
to manage cost and risk associated with application security.
We hope that the OWASP Top 10 is useful to your application
security efforts. Please don’t hesitate to contact OWASP with
your questions, comments, and ideas, either publicly to
OWASP-TopTen@lists.owasp.org or privately to
dave.wichers@owasp.org.
http://www.owasp.org/index.php/Top_10
The Open Web Application Security Project (OWASP) is an
open community dedicated to enabling organizations to
develop, purchase, and maintain applications that can be
trusted. At OWASP you’ll find free and open …
• Application security tools and standards
• Complete books on application security testing, secure
code development, and security code review
• Standard security controls and libraries
• Local chapters worldwide
• Cutting edge research
• Extensive conferences worldwide
• Mailing lists
• And more … all at www.owasp.org
All of the OWASP tools, documents, forums, and chapters are
free and open to anyone interested in improving application
security. We advocate approaching application security as a
people, process, and technology problem, because the most
effective approaches to application security require
improvements in all of these areas.
OWASP is a new kind of organization. Our freedom from
commercial pressures allows us to provide unbiased, practical,
cost-effective information about application security. OWASP
is not affiliated with any technology company, although we
support the informed use of commercial security technology.
Similar to many open-source software projects, OWASP
produces many types of materials in a collaborative, open way.
The OWASP Foundation is the non-profit entity that ensures
the project’s long-term success. Almost everyone associated
with OWASP is a volunteer, including the OWASP Board,
Global Committees, Chapter Leaders, Project Leaders, and
project members. We support innovative security research
with grants and infrastructure.
Come join us!
