I am pretty late in the game to blog about this, but I am going to do it anyway, because I can ;)
As many of you know, I am a very big fan of the Open Web Application Security Project (OWASP) and recently OWASP has announce the first release candidate of its Top 10 List for 2010.
Every three years the OWASP Top Ten Project is updated with the most critical web application security flaws. There was a Top 10 list published for 2004 and again for 2007. In January (they predict) the final version of the new 2010 list will be released.
The RC for 2010 is not that much different from the 2007 version. A few of the top 10 items have been promoted up or demoted down in the list, two items have been removed and two new items have been added.
One interesting change to the project is they are changing the focus. Instead of focusing on the top 10 vulnerabilities in web application, they are taking the approach of listing the top 10 web application security risks. The idea is that they are now ranking each item on the list based upon their estimated risk to applications versus just the frequency with which they occur. I think that is an important distinction.