Site Sponsor:

mcafee_logo.gif
line

Now Available:

Featured Resource:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Dan or post a comment to the blog.

« Business Continuity and Messaging Services | Main | Hacking as a Business - More from the Frontlines »

Securing Web Applications: The Open Web Application Security Project

Management practices are an important part of the security mosaic and a number of such frameworks are justifiably popular, especially ISO-17799 and COBIT. Other useful best practices are less well known than they should be. The Open Web Application Security Project (OWASP) is one of those. Each day this week, the blog will include posts on the OWASP and some of the projects conducted by the group in an effort to spread the word on yet another high quality tool for security management.

Today, I’ll post the OWASP’s Top 10 Web Application Security flaws. Correcting these vulnerabilities is the first place to start with any Web application.

1. Unvalidated input
2. Broken access controls
3. Broken authentication and session management
4. Cross-site scripting
5. Buffer overflow
6. Injection flaws
7. Improper error handling
8. Insecure storage
9. Application denial of service
10. Insecure configuration management.

A summary of these is available at the OWASP Web site along with details, including a general description of the vulnerability, environments affected, examples and references, methods for determining an application is vulnerable to the flaw, and information on protecting applications from the flaw.

Tomorrows topic: the OWASP Report Generator for documenting security vulnerabilities.

Tags:      
 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Dan Sullivan on January 15, 2007 10:20 AM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-websecurity.com/type/mt-tb.cgi/173

Comments

Dan,

We're about to release the revised T10 for 2007. If you'd like to review it, please mail me.

Andrew

Posted by: Andrew van der Stock | January 15, 2007 2:02 AM

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Latest White Papers

line

Blog Roll

line

Dan Sullivan's Bio:

Dan Sullivan is a systems architect with 20 years of IT experience that includes engagements in enterprise security, application design, and systems architecture. His experience includes a broad range of industries, including financial services, manufacturing, government, retail, gas and oil production, power generation, and education. Dan’s security-related project work has ranged from requirements analysis for enterprise information security to designing and implementing security for database applications and enterprise portals. Dan has written about information security and other enterprise information management topics for Business Security Advisor, DM Review, Intelligent Enterprise, and E-Business Advisor. You can contact Dan at: dan_sullivan@realtimepublishers.net