The Open Web Application Security Project (OWASP) released a new top 10 list at its conference in Washington, D.C.

A1 –Injection

A2 –Cross Site Scripting (XSS)

A3 –Broken Authentication and Session Management

A4 –Insecure Direct Object References

A5 –Cross Site Request Forgery (CSRF)

A6 –Security Misconfiguration(NEW)

A7 –Failure to Restrict URL Access

A8 –UnvalidatedRedirects and Forwards (NEW)

A9 –Insecure Cryptographic Storage

A10 -Insufficient Transport Layer Protection

Two new items appeared in the list, that were not in the Top 10 2007 list: Security Misconfiguration, and UnvalidatedRedirects and Forwards.  The two items that dropped out of the list are Malicious File Execution and Information Leakage and Improper Error Handling.

The list, currently in Release Candidate stage can be downloaded from the OWASP website here.

UPDATE: The final version of the OWASP Top 10 2010 has been released.

This entry was posted on Tuesday, November 17th, 2009 at 11:43 am and is filed under General. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.