What is the OWASP Top 10?
OWASP is the Open Web Application Security Project. According to OWASP’s website, it “works to improve the security of software through its community-led open-source software projects, hundreds of chapters worldwide, tens of thousands of members, and by hosting local and global conferences.”
OWASP has been the face of web application security for almost 20 years. They’ve worked tirelessly to increase the security of the web. One of the most widely known contributions to the industry is the OWASP Top 10 List.
What are the OWASP Top 10 Vulnerabilities?
A broad range of data contributed by over 40 companies, along with consensus from the security community, was used to create a list of the most critical web application vulnerabilities.
The vulnerabilities were rated based on four criteria:
- Exploitability - How easy is the weakness to exploit?
- Prevalence - How many applications have this vulnerability?
- Detectability - Is it easy to find this weakness in an application or do you have to dig?
- Technical Impact - What can an attacker do once they’ve exploited the application? For example, remote code execution, host takeover, fraud, identity theft, denial of service.
The OWASP Top 10 is a popular and effective starting point for application security. It serves to give developers a quick reference of vulnerabilities they should watch out for in their code.
Here is the latest edition (2017) of the OWASP Top 10.
- Injection
- Broken Authentication
- Sensitive Data Exposure
- XML External Entities
- Broken Access Control
- Security Misconfiguration
- Cross-Site Scripting (XSS)
- Insecure Deserialization
- Using Components with Known Vulnerabilities
- Insufficient Logging and Monitoring
How Do I Test for the OWASP Top 10?
Despite Web Application Firewalls looking out for the OWASP Top 10 in production, it’s essential to test your applications for these vulnerabilities before they reach production. Otherwise, you’re putting a band-aid over a wound that requires stitches. An attacker who bypasses the WAF will have no resistance.
Testing for vulnerabilities like those on the OWASP Top 10 can be done manually or via automated tools. The Top 10 has become the bare minimum requirement for automated scanning tools like SAST and DAST.
However, manual penetration testing has its place as well. OWASP created the Application Security Verification Standard and the Web Security Testing Guide to help developers and testers inspect their applications for weaknesses.
The Application Security Verification Standard (ASVS) aims to help companies develop and test security controls. It sets up a standard all can measure themselves against when designing and developing web applications. It doesn’t test for vulnerabilities. It helps you develop security controls that prevent them from appearing in the first place.
The ASVS features three levels of assurance. An application reaches level one when it defends against the OWASP Top 10 and other basic vulnerabilities. To reach level two, an application has to defend itself against more advanced attack scenarios. Level two is typically used for significant business-to-business transactions, healthcare applications, or applications that hold and use sensitive information. Level three is reserved for the most secure applications, such as those used by military and critical infrastructure.
The Web Security Testing Guide (WSTG) takes a different approach. Instead of defining security controls, it outlines a comprehensive methodology for testing applications and finding security vulnerabilities. Security researchers, penetration testers, and developers can use the WSTG to develop testing strategies and perform security assessments.
The OWASP Top 10 is is a good starting point, but the ASVS and WSTG help you to apply the lessons learned from the Top 10 to specific applications.
Are These the Only Vulnerabilities I Need to Watch Out For?
The OWASP Top 10 is an excellent resource for web developers and security professionals. It provides a solid foundation and highlights major problems that have been observed in production web applications.
However, it’s dangerous to build only to prevent these ten issues. There are many types of vulnerabilities and techniques used to break into applications and steal data. For example, the 2017 OWASP Top 10 list removed Cross-Site Request Forgery (CSRF). CSRF had been on the list for many years. This doesn’t mean that you don’t need to protect against CSRF anymore. It’s still a threat.
Another reason for increased vigilance is the fast pace of change seen in web applications today. For example, the proliferation of microservices and APIs has given rise to a new breed of vulnerability that didn’t exist before. The OWASP Top 10 might not include the latest techniques used by attackers. In this specific example, the OWASP API Top 10 was created to highlight the newest issues faced by API developers.
The OWASP Top 10 isn’t an inclusive list. It should be the bare minimum of what you defend against, but every application has specific risks based on the platforms used and the type of transactions and data it handles. Tools like the ASVS will help you to develop controls that cover more than the Top 10 vulnerabilities.
How Can I Contribute?
OWASP is always looking for help in defending web applications against attacks. There are local chapters all over the world that hold events to help educate developers and security professionals. You can become a member, donate, or even start your own project. Most projects are open source, so don’t hesitate to contribute there, too.
No matter how you contribute, consider giving back to the development community to help make the Internet a safer place for everyone.