As IT security professionals we certainly have our fair share of information available to simplify the work we do. There’s the CVE dictionary, the Special Publications from NIST, and even certain regulations such as PCI DSS that can help guide us down the path of improved information security. But I can’t think of anything more beneficial in the realm of web security than the newly-updated OWASP Top 10 2013.
A free resource made available by the OWASP Foundation, the OWASP Top 10 2013 helps us to better understand, identify, and actually fix the web security flaws that mean the most. It’s detailed and prescriptive – just what IT and software development professionals need. There are several new updates to the already solid 2010 version of the OWASP Top 10 including clarification and risk reprioritization of access control flaws, session management, CSRF, and third-party software components.
But there’s additional value that the OWASP Top 10 2013 brings to the table that you may not have thought about. The OWASP Top 10 is a free and continually evolving resource that can be:
- Shared with both in-house and outside developers for software security training
- Implemented as a standard that auditors will recognize and appreciate
- A source for measuring web-related risks specific to your environment
- Used to build your information security credibility
Don’t let the new version of the OWASP Top 10 fall on deaf ears. With such a good resource at our disposal, there’s really no excuse for not being able to make it an integral part of your software development processes and overall information risk management program.
It’s important to know that the OWASP Top 10 means different things to different people depending on their development experience, security knowledge, and the overall business of the applications being evaluated. The mere existence of the OWASP Top 10 won’t be enough either. You’re going to have to work for it which means you (or someone) will have to take the lead in spreading the message to get the right people on board and then incorporating some or all of the OWASP Top 10 components into your software and security programs.
Just as valuable as the Top 10 itself, be sure to check out the additional information and tools on OWASP’s Downloads and Projects pages. You could literally spend the next year sifting through these resources to take your web security expertise to the next level – something we could all benefit from.