OWASP Top 10 Infrastructure Security Risks
Welcome to the OWASP Top 10 Infrastructure Security Risks - 2024
The OWASP Top 10 Infrastructure Security Risks shall provide information about the top Infrastructure Security Risks, Threats and Vulnerabilities.
- ISR01:2024 – Outdated Software
- ISR02:2024 – Insufficient Threat Detection
- ISR03:2024 – Insecure Configurations
- ISR04:2024 – Insecure Resource and User Management
- ISR05:2024 – Insecure Use of Cryptography
- ISR06:2024 – Insecure Network Access Management
- ISR07:2024 – Insecure Authentication Methods and Default Credentials
- ISR08:2024 – Information Leakage
- ISR09:2024 – Insecure Access to Resources and Management Components
- ISR10:2024 – Insufficient Asset Management and Documentation
Motivation - Why is the OWASP Top 10 Infrastructure Security Risks important?
This OWASP Project aims to raise awareness and provide quality information regarding Infrastructure Security Risks, Threats and Vulnerabilities. Infrastructure Security Risks play an essential role in information security. After initial access, these vulnerabilities are the leading cause of compromising whole companies and organizations. Even though these Threats play an important role in the cyber kill chain, they are often overlooked by companies and organizations because the attack vectors originate from the inside and not outside. Companies and organizations have to keep in mind that a defense line only to the outside isn’t enough. If an attacker is able to get through this line of defense or around, e.g. via Phishing, and gets an initial pivot point, internal defense mechanisms are mandatory. Especially Threat Detection and Monitoring are needed to identify internal attacks and threat actors. These are the reasons why this project came to life. We want to provide useful and quality information and raise awareness about these threats in general to improve the internal security of companies and organizations worldwide.
Open Call for Data, Next Version and Contribution
To further improve the quality and significance of the OWASP Top 10 Infrastructure Security Risks, we kindly invite you to join our Open Call for Data for 2024 and 2025. There, you can donate data, anonymously or publicly, to the Project. In the course of 2024 and 2025, we will collect all the data and then process it for 2026. This way, we plan to publish the OWASP Top 10 Infrastructure Security Risks - Version 2026 using an even more extensive dataset and further improve the quality and significance. Contributors and donors will be listed as sponsors, if they wish so, on the related project pages. We also plan on doing CVE and CWE research for vulnerabilities regarding Infrastructure Security Risks. For more information and how to contribute, please follow this link.
Notice
Release / Changelog
-
Renaming - 25th October 2024 Version 2024 -
Initial Release - 13th November 2023 Version 2023
Lead Authors and Project Leaders
- Nick Lorenz (Profile and Links: @Sharkeonix, LinkedIn: @NickLorenz)
- Tim Barsch (GitHub: :Domai, LinkedIn: @TimBarsch)
Contributors
- Tobias Neugebauer (LinkedIn: @TobiasNeugebauer)
How you can help
For Version 2026 we are making an Open Call for Data. We would be happy if you want to contribute. For more information, please visit this site.
Log issues and pull requests
Please log any corrections or issues:
Sponsors of the Project
Become now an official sponsor for the project. If you are interested please contact the project leaders and checkout the open call for data page.
Open Call for Data -> OWASP Top 10 Infrastructure Security Risks - Version 2026
Motivation
To further improve the quality and significance of the OWASP Top 10 Infrastructure Security Risks, we kindly invite you to join our Open Call for Data for 2024 and 2025. There, you can contribute data, anonymously or publicly, to the project. Throughout 2024 and 2025, we will collect all the data and then process this data for use in 2026. This way, we plan to publish the OWASP Top 10 Infrastructure Security Risks - Version 2026 using an even more extensive dataset and further improve the quality and significance. If desired, contributors and donors will be recognized as sponsors on the relevant project pages. We also have plans to conduct CVE and CWE research for vulnerabilities regarding Infrastructure Security Risks.
What Data is needed?
We are looking for data regarding vulnerabilities in the context of Infrastructure Security Risks e.g. findings from internal penetration tests or similar. That way we can use the resulting dataset to evaluate what are the most common and critical vulnerabilities arising in internal IT-infrastructures.
How to submit data?
To submit data, please prepare your data to fit to the following CSV structure and submit it as one CSV file. The CSV can then be submitted via the linked Google Forms Document where you need to fill in additional data.
Google Forms Document
Google Forms for Data Submission
CSV Structure
id, count, [CWE], [ISRXX:2024], (CVSS v3 score), (CVSS v3 vector), CVSS v4 score, CVSS v4 vector, title, description and details, (risk), (rectification)
- Fields with no brackets are mandatory.
- Fields with [] brackets aren’t mandatory but highly recommended, otherwise we might not be able to process and use your data.
- Fields with () brackets are optional and doesn’t need to be filled out but would help us in the later stages of the analysis.
Field Explanation
- id: Rolling identifier of finding.
- count: How many times this finding was found.
- [CWE]: If possible, relating CWE Number.
- [ISRXX:2024]: If possible, relating number of OWASP Top 10 Infrastructure Security Risks - Version 2024.
- CVSS v3 score: The CVSS v3 score of the finding.
- CVSS v3 vector: The CVSS v3 vector of the finding.
- CVSS v4 score: The CVSS v4 score of the finding.
- CVSS v4 vector: The CVSS v4 vector of the finding.
- title: The title of the finding.
- description and details: Brief description and explanation of the finding.
- (risk): Risks resulting from the finding.
- (rectification): How to rectify the finding.
CSV Example
id, count, [CWE], [ISRXX:2024], (CVSS v3 score), (CVSS v3 vector), CVSS v4 score, CVSS v4 vector, title, description and details, (risk), (rectification)
#1, 42, CWE-1104, ISR01:2024, 10.0, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, 10.0, CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H, Unsupported windows XP client with known vulnerabilities, A Windows XP Client was found. This version of Windows from Microsoft isn't supported anymore. There are no longer security patches and many publicly known exploits exists, including critical ones., Because this version of windows is no longer supported and there aren't security patches anymore, the number of known and critical exploits, without solutions to them, increases by time. These vulnerabilities can lead to the whole compromization of the system., It is recommended to upgrade the system to a up-to-date and supported version.
Metadata
When you fill out the Google Forms Document, you will also be asked to enter additional information about yourself and your data.
Further explanation is stated in the Google Forms Document.
Contact
If you have any questions regarding this process, feel free to write us an E-Mail: