Kudos to Jeff Williams, Dave Wichers, and the rest of the OWASP team for pulling together the final release of the OWASP Top 10 for 2010. Obviously, a lot of thought and work has gone into this new version.
One thing that really jumps out is the document’s visual appeal. The visual enhancements in and of themselves make the OWASP Top 10 much more useful – especially for the less technical decision makers whose approval we’re trying to seek. Beauty’s only skin deep though. The real substance is in the new Top 10’s philosophy and approach. The thing that I believe is most beneficial is the enhanced focus on risk. As I talked about here, business risk is something that’s way too easy to take for granted in the bits and bytes world in which a lot of us live and breathe.
A few key statements about risk that stand out in the document include:
• “What’s My Risk?”
Everyone’s situation is different. You’re not going to find every item in the Top 10 in every Web application. Don’t worry about what others think you should be finding or what your risk level should be but instead determine what matters in your specific environment.
• “You will have to decide how much security risk from applications you are willing to accept.”
Even though a large number of businesses are held to the same compliance standards (i.e. PCI DSS, HITECH/HIPAA, GLBA, etc.) only you and your business leaders (ideally as part of a larger security committee) will know what’s tolerable.
I like how this sentiment is shared throughout the OWASP Top 10 for 2010. The reality is you can never ever forget that – no matter what some vendor, auditor, consultant, or other “expert” tells you – your mileage will vary. What’s critical for someone else could very well be a non-issue for you and your business, hence the importance of understanding bottom line business impact and risk.
The new OWASP Top 10 2010 also has some good information on next steps for developers and “verifiers”(the people performing security assessments) including links to the Application Security Verification Standard for requirements development, OWASP Developer’s Guide for information on building secure apps from the beginning, and the OWASP Testing Guide for techniques on finding security flaws. A couple of new things in the final release that help seal the deal are +O What’s Next for Organizations and +F Details About Risk Factors. There’s no replacement for a comprehensive risk-based application security program and these pages will help you help yourself to fill in the gaps.
We’ve still got to get the word out on the OWASP Top 10. It still doesn’t have the visibility – at least with the right people – it needs and deserves. The best thing we can do is continue to spread the word outside of our information/application security circles and continue to get on the radar of developers, QA analysts, compliance managers, auditors, and executives alike. It’s not just about sharing the document with the right people but showing how it affects the business, and once improvements are being made, how it’s benefiting the business. As with any information security-related initiative, it’s always going to be a work in progress.