The new OWASP Top 10 for 2010 – Risk and Realities

Kudos to Jeff Williams, Dave Wichers, and the rest of the OWASP team for pulling together the final release of the OWASP Top 10 for 2010. Obviously, a lot of thought and work has gone into this new version.

One thing that really jumps out is the document’s visual appeal. The visual enhancements in and of themselves make the OWASP Top 10 much more useful – especially for the less technical decision makers whose approval we’re trying to seek. Beauty’s only skin deep though. The real substance is in the new Top 10’s philosophy and approach. The thing that I believe is most beneficial is the enhanced focus on risk. As I talked about here, business risk is something that’s way too easy to take for granted in the bits and bytes world in which a lot of us live and breathe.
A few key statements about risk that stand out in the document include:

• “What’s My Risk?”
Everyone’s situation is different. You’re not going to find every item in the Top 10 in every Web application. Don’t worry about what others think you should be finding or what your risk level should be but instead determine what matters in your specific environment.
• “You will have to decide (continue reading...)