Last updated back in 2010, the organization has published the new list wherein the importance of cross-site scripting (XSS) and cross-site request forgery (CRSF) has been diluted a little while risks related to broken session management and authentication has moved up a notch. Code injection, which was the topmost risk in 2010 has retained its position in the updated list. The 2013 Top Ten report has been compiled based on half a million vulnerabilities discovered in thousands of applications from hundreds of vendors.
Published for the first time around 10 years ago, OWASP Top Ten has earned a lot of respect within the security and developer community alike. The report is published every three years and takes into account risk related to web applications, vulnerabilities and the likes. Since the last few year the report’s focus has shifted from potential vulnerabilities towards general security risks.
This year a new category dubbed “Using Known Vulnerable Components” has been created for administrators who use libraries, frameworks, modules and other such known vulnerable components. Back in 2010 risks arising out of use of such components was under the umbrella category of “security misconfiguration” but, according to the project this particular problem has garnered much importance warranting its own category.
The 2013 report has a new category dubbed “sensitive data exposure”, created out of merger of two 2010 categories “insecure cryptographic storage” and “insufficient transport layer protection”. This new category deals with security issues arising out of data leaks in general.
Further the 2010 list had a category named “failure to restrict URL access”. This particular category has now been broadened taking into purview issues arising out of problems with function-level access control as modern applications are accessible in many ways and not just via URLs.
You can find the OWASP Top 10 2013 here.