The release candidate for the OWASP Top Ten for 2010 has been officially released at the OWASP AppSec DC Conference today (Nov 13, 2009). This document is now up for open comment until Dec 31, 2009. We will then update the document and release a final version in early 2010, hopefully January. Please send all comments to: firstname.lastname@example.org.
The conference presentation which describes the changes, and goes through each item in the new Top 10 can be downloaded here: (OWASP Top 10 - 2010 rc1 Presentation).
Click here to download the OWASP Top 10 - 2010 rc1 itself.
The two following items are new for the 2010 RC1 list...
A6 - Security MisconfigurationThe two following items were dropped in this 2010 RC1 list...
A8 - Unvalidated Redirects and Forwards
Recently, the Web Application Security Consortium (WASC) released their Web Application Security Statistics for 2008. Given the report highlights XSS, different types of Information Leakage, SQLi and HTTP Response Splitting as the most wide spread vulnerabilities, it seems funny to me to remove "Information Leakage" from the OWASP Top Ten.
With that said, I didn't believe that OWASP went far enough to highlight the Information Leakage problem when it was in the top ten list. They directly connected it to improper error handling, which is only one type of information leakage.
Information Leakage is so much more than just detailed error message...and according to WASC, the problem is only getting worse. So why drop it now?