Last week, the OWASP team officially updated the Top 10 list of risks so as to make it relevant for the web attack vectors identified in the last three years. The OWASP Top 10 summarizes and often combines web application vulnerabilities into an easy to interpret and compact list of risks.
The way that the OWASP Top 10 is structured allows for easy categorization of any vulnerability worth discussing. Thus when discussing a new vulnerability, one can effortlessly get an idea of the likelihood that an attacker has of discovering and exploiting the vulnerability and an understanding of the impact if the vulnerability is successfully exploited.
If the same website is scanned by multiple web vulnerability scanners, the vulnerabilities reported will be different because of the following factors:
- The crawling techniques used by different vulnerability scanners means that different scanners would identify different number of pages.
- The number of vulnerabilities and the variants of the same vulnerabilities detected by each web vulnerability scanner are different.
- The number of false positives will increase the number of vulnerabilities reported in some scanners.
- Each web vulnerability scanner vendor has its way of categorizing the vulnerabilities. Thus what might be considered as critical by one scanner might be reported as medium in another scanner.
OWASP's Top 10 list provides a means for web application scanner vendors and customers to understand the impact of the vulnerabilities being reported. OWASP Top 10 is a standard that has been adopted by the web development teams of major organizations including government departments, universities, banks and financial institutions, betting companies and others. Many of these companies keep an eye out for vulnerabilities that appear in any OWASP Top 10 list.
Smaller organizations might also find the OWASP Top 10 list useful. Multiple vulnerabilities are often identified by a web application scanner when scanning a web site for the first time, making addressing all the vulnerabilities seem like an overwhelming task. Sorting the vulnerabilities using the OWASP Top 10 would give the web developers an idea of which vulnerabilities need to be tackled first.
The latest build of Acunetix released earlier today includes a new report for the OWASP Top 10 2013. Customers that have been using the OWASP Top 10 as a guideline in the past can now generate a report on the latest version of the OWASP Top 10 list. This can also be done on scans that have been completed in the past, although it is always recommended to scan your website frequently. The latest release of Acunetix also includes the detection of new vulnerabilities.