The first release candidate of the new OWASP Top 10 2013 was published a couple of days ago (PDF). And the top 10 changed quite a bit (see the project wiki):
- A1 Injection
- A2 Broken Authentication and Session Management (was formerly A3)
- A3 Cross-Site Scripting (XSS) (was formerly A2)
- A4 Insecure Direct Object References
- A5 Security Misconfiguration (was formerly A6)
- A6 Sensitive Data Exposure (merged from former A7 Insecure Cryptographic Storage and former A9 Insufficient Transport Layer Protection)
- A7 Missing Function Level Access Control (renamed/broadened from former A8 Failure to Restrict URL Access)
- A8 Cross-Site Request Forgery (CSRF) (was formerly A5)
- A9 Using Known Vulnerable Components (new but was part of former A6 – Security Misconfiguration)
- A10 Unvalidated Redirects and Forwards
Some changes are a little bit surprising in my eyes at first. Definitively not that injections are still number 1. Guess some things never change. But I think the drop of XSS from 2 to 3 and CSRF from 5 to 8 does not reflect reality. Sure, there is little more awareness to these problems (only a little), and some Java frameworks offer (some, but getting better) out-of-the-box-protection. But these issues are still tough to solve and are still dangerous. And they are a good eye-catcher and easy to talk about. Hopefully that does not prevent developers to think about it during web application development. Not that the other items are unimportant, however I can’t fully agree with the order.
But whatever is your motivation for secure development (in case you simply need another one besides, well, security), don‘t take the OWASP top 10 positions too seriously. The issue is important, not the current position. OWASP top 10 issue 11 (whatever dropped out the list) may be your issue number 1. And even a controversial list makes developers talk about security, which is the best thing that could happen to us.
The OWASP Top 10 2013 final version should be available in May 2013.