Secure Computing OWASP

the 10 most critical web application security risks at time of release

where are these attacks going to come from

how easy is it to perform the attack

how common is the weakness

how easy is it to detect the weakness

how severe will the attack be on the infrastructure

what will be the varied costs to the business if a successful attack takes place

• input validation - never trust the user
• access surface reduction - don't give functionality if they don't need
• classification and prioritization of threats

• blacklist validation - input that should not come from a user, then blocking it
• whitelist validation - input that should come from a user, then allowing it

• spoofing
• tampering
• repudiation
• information disclosure
• denial of service
• elevation of privilege

• Forum of Incident Response and Security Teams
• ranks vulnerabilities on a scale of 1 to 10, ten being the highest

• attack the victim's browser instead of the server
• take advantage of vulnerabilities to circumvent the SOP

• A3
• Cross-site scripting
• allows attackers to execute scripts in the victim's browser.
• occurs whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping

• A8
• cross-site request forgery
• forces the users browser to send a forged HTTP request to a vulnerable web app.
• this includes cookies and automatic authentication information

how technically skilled is this group of threat agents?

how motivated is this group of threat agents

what resources and opportunity is required for this group of threat agents?

how well know is this vulnerability to this group of threat agents?

how likely is an exploit detected