On June 12, 2013 the OWASP Top 10 for 2013 was officially released. This version was updated based on numerous comments received during the comment period after the release candidate was released in Feb. 2013.
For 2013, the OWASP Top 10 Most Critical Web Application Security Risks are:
If you are interested, the methodology for how the Top 10 is produced is now documented here: OWASP Top 10 Development Methodology
Please help us make sure every developer in the ENTIRE WORLD knows about the OWASP Top 10 by helping to spread the word!!!
As you help us spread the word, please emphasize:
- OWASP is reaching out to developers, not just the application security community
- The Top 10 is about managing risk, not just avoiding vulnerabilities
- To manage these risks, organizations need an application risk management program, not just awareness training, app testing, and remediation
We need to encourage organizations to get off the penetrate and patch mentality. As Jeff Williams said in his 2009 OWASP AppSec DC Keynote: “we’ll never hack our way secure – it’s going to take a culture change” for organizations to properly address application security.
Introduction
The OWASP Top 10 is a powerful awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. Versions of the 2007 and 2010 version were translated into English, French, Spanish, Japanese, Korean and Turkish and other languages. The 2013 version was translated into even more languages.
We urge all companies to adopt this awareness document within their organization and start the process of ensuring that their web applications minimize these risks. Adopting the OWASP Top 10 is perhaps the most effective first step towards changing the software development culture within your organization into one that produces secure code.
Changes between 2010 and 2013 Editions
The OWASP Top 10 - 2013 includes the following changes as compared to the 2010 edition:
- A1 Injection
- A2 Broken Authentication and Session Management (was formerly 2010-A3)
- A3 Cross-Site Scripting (XSS) (was formerly 2010-A2)
- A4 Insecure Direct Object References
- A5 Security Misconfiguration (was formerly 2010-A6)
- A6 Sensitive Data Exposure (2010-A7 Insecure Cryptographic Storage and 2010-A9 Insufficient Transport Layer Protection were merged to form 2013-A6)
- A7 Missing Function Level Access Control (renamed/broadened from 2010-A8 Failure to Restrict URL Access)
- A8 Cross-Site Request Forgery (CSRF) (was formerly 2010-A5)
- A9 Using Components with Known Vulnerabilities (new but was part of 2010-A6 – Security Misconfiguration)
- A10 Unvalidated Redirects and Forwards
Other 2013 Top 10 Docs
Feedback
Please let us know how your organization is using the OWASP Top 10. Include your name, organization's name, and brief description of how you use the list. Thanks for supporting OWASP!
We hope you find the information in the OWASP Top 10 useful. Please contribute back to the project by sending your comments, questions, and suggestions to [email protected]. Thanks!
To join the OWASP Top 10 mailing list or view the archives, please visit the subscription page.
The OWASP Top 10 project is sponsored by 
