With a focus on risks, rather than only ranking software vulnerabilities, the Open Web Application Security Project (OWASP) has made a significant - and welcomed - change in how the organization rates Web application security weaknesses.
The OWASP Top Ten has always been required reading for Web application developers and server administrators. But the list, as it was initially published nearly seven years ago, probably didn't mean much to the business managers and executives who need to authorize the budget, and additional time, needed to deploy reasonably secure Web applications.

One of the most profound changes, and shows how OWASP is maturing from its software development centric view to a risk view is the inclusion of Security Misconfigurations to the list. Misconfigurations and poor system change management is one of the most common - and avoidable - ways organizations shoot themselves in the security foot. Proper configuration settings, if there's any hope at keeping an application or Web server secure must be defined and put into place - and periodically validated. Misconfigurations always belonged on the list - and it's good news to see it included.

The link for this article located at Information Week is no longer available.