"We predict that this year a major e-commerce site will suffer a denial of service attack because the hacker has resent many of the user passwords," says Mark Curphey, chairman of OWASP and director of consulting for Foundstone, a firm offering strategic security services. The hack results when an attacker, for example, rents a high volume of email names and runs an attack that can reset the user's password on an e-commerce site.
OWASP emerged from efforts by Curphey, when he was working in IT security for Charles Schwab, and his peers in other firms to define the major issues around securing Web sites. The resulting OWASP guide, some 200 pages long and aimed at IT security professionals and developers, was downloaded 1.5 million times over the following year."The uptake was greater than we expected," Curphey says.
But the developers said they wanted something they could show to the CIO and other executives, so last year the group issues its first Top 10 List of Critical Web Application Security Vulnerabilities. Here is the top 10 list for 2004:
"There are challenges around Web application security," says Curphey. "Many of the issues are human logic issues which can never be found by technology. There is no silver bullet. It's a logic puzzle, a new breed of problem to be solved."