News From  
Visit our home page

<-story list
  OWASP Identifies Ten Most Critical Web Application Security Vulnerabilities

WASHINGTON -- Jan. 13, 2003 -- A new report detailing the ten most critical web application security problems was unveiled today by the Open Web Application Security Project.

OWASP is dedicated to helping organizations understand and improve the security of their web applications and web services. Download the report from the OWASP website at

``The OWASP Top Ten list shines a spotlight directly on one of the most serious and often overlooked risks facing government and commercial organizations,'' said Jeffrey Williams, CEO of web application security firm Aspect Security. ``A stunning number of organizations spend big bucks securing the network and somehow forget about the applications.''

These flaws are surprisingly common and can be exploited by unsophisticated attackers with easily available tools. When an organization deploys a web application, they invite the world to send HTTP requests. Attacks buried in these requests sail past firewalls, filters, platform hardening, SSL, and IDS without notice because they are inside legal HTTP requests. Therefore, web application code is part of the security perimeter and cannot be ignored.

``This list is an important development for consumers and vendors alike,'' said Stephen Christey, Mitre CVE editor. ``It will educate vendors to avoid the same mistakes that have been repeated countless times in other web applications. But it also gives consumers a way of asking vendors to follow a minimum set of expectations for web application security and, just as importantly, to identify which vendors are not living up to those expectations''

``This 'Ten-Most-Wanting' List acutely scratches at the tip of an enormous iceberg,'' said Peter G. Neumann, moderator of the ACM Risks Forum. ``The underlying reality is shameful: most system and Web application software is written oblivious to security principles, software engineering, operational implications, and indeed common sense.''

``The Open Web Application Security Project (OWASP) is an Open Source community project staffed entirely by volunteer experts from across the world.'' Project chair Mark Curphey said, ``the OWASP Top Ten Project was formed to capture our collective wisdom and present it in a way that would bring the attention web application security deserves.''

Questions or comments about the OWASP Top Ten should be sent to:

. . . . . . .
Open Web Application Security Project
Mark Curphey, 781/738-0857
Aspect Security, Inc.
Jeffrey Williams, 410/707-1487


  Creativyst™ NewsEntry Press Release App   00011 © Copyright 2003 Creativyst, Inc.      

Download the free report from the OWASP website...