OWASP Top 10 2017 RC 2 released

The list of Top 10 vulnerabilities from OWASP (Release Candidat 2), the most critical web application security risks, has been updated.

The OWASP Top 10 project is referenced by many standards, tools and organizations, including MITRE, PCI DSS, DISA, FTC, and many others. OWASP Top 10 is a recognized web application vulnerability assessment methodology worldwide. The OWASP Top 10 project reflects the most significant threats to a web application.

The standard version is updated approximately every three years and reflects current trends in web application security. This year there was an interim release candidate, this same document is the final release.

OWASP Top 10 2013

The list of the most dangerous risks (vulnerabilities) of web applications from 2013:

• A1 Code injection
• A2 Incorrect authentication and session management
• A3 Crossite Scripting
• A4 Insecure direct object references
• A5 Insecure configuration
• A6 Sensitive Data Leak
• A7 Lack of access control to the functional level
• A8 Cross-site request forgery
• A9 Using components with known vulnerabilities
• A10 Unqualified Redirects

OWASP Top 10 2017 RC 2 Final

The list of the most dangerous risks (vulnerabilities) of web applications from 2017:

• A1 Code injection
• A2 Incorrect authentication and session management
• A3 Sensitive Data Leak
• A4 Embedding External XML Entities (XXE)
• A5 Access Control Violation
• A6 Insecure configuration
• A7 Crossite Scripting
• A8 Unsafe deserialization
• A9 Using components with known vulnerabilities
• A10 Lack of logging and monitoring

References

→ OWASP project
→ PDF version of OWASP Top 10 2017 RC 2 on github