The Open Web Application Security Project (OWASP) has provided the top ten list for web application flaws.

The top Web application vulnerabilities are unvalidated parameters, broken access control, broken account and session management, cross-site scripting (XSS) flaws, buffer overflows, command injection flaws, error handling problems, insecure use of cryptography, remote administration flaws and Web and application server misconfiguration.

The vulnerabilities in the list aren't new but have been largely ignored in software development.

Read CRN article about the list

Visit the OWASP community project

As developers we know these problems, but do we take enough care? or worry about the deadline and "getting it done"?

The Open Web Application Security Project Plan for 2003 has an interesting section entitled "Lessons Learned":

- There are some very cool and very smart people out there
- Some things take a really long time to do, "Rome wasn’t built in a day"!
- Lots of people volunteer, far less actually contribute
- Some volunteers put far more effort into a project than others
- People come and people go
- The vast majority of people really like what we are doing
- A few people don’t like what we are doing
- Open Source projects can be total chaos (project management will be key in ensuring future success)
- Open Source projects work better when you have a code base to start from
- Sponsorship is difficult without a sense of some return in investment to the sponsor

Download the paper

OWASP's SourceForge Site

"Unvalidated Parameters" as flaw #1. In other words, "user input can be malformed or malicious". Really? I'd never thought of that ;-)!

However, I'm pretty sure many webapps don't guard against this problem, so thanks to Owasp for their list, sometimes it makes sense to restate the obvious.

Cheers,
    Henrik
    TNGtech