- Silicon Design & Verification
- Silicon IP
- Software Integrity
- About Us
- Silicon Design & Verification Products
- Solutions
- Resources
- Services
- Community
- Training
- Silicon IP Products
- Solutions
- Resources
- Services
- Community
- Software Integrity
- Tools & Services
- Training & Education
- Solutions
- Resources
- Support
- Partners
- About Us
< Silicon Design & Verification Products
< Silicon Design & Verification Products
< Silicon Design & Verification Products
< Silicon Design & Verification Products
3D Image Processing
Simpleware Products
Simpleware for Life Sciences
Simpleware for Materials & Manufacturing
< Silicon Design & Verification Products
< Silicon Design & Verification Products
< overview
Silicon Design & Verification Products
+
Design
+
System Simulation & Modeling
+
Verification Continuum
+
3D Model Generation
+
Silicon Engineering
+
Optical Solutions
< Solutions
< Solutions
< Solutions
< Resources
< Resources
< Resources
< overview
< Services
< Services
< Services
< Community
Community
Community Overview
< Community
< Community
< Community
< Community
< Community
< Community
< Community
< overview
Community
+
Community
+
SNUG
+
Partners
+
EmbARC.org
+
Interoperability
+
Academic Programs
+
Company Blogs
+
BSIMM
< Training
< overview
< main menu
< Silicon IP Products
< Silicon IP Products
Memories & Libraries
Logic Libraries
Memory Compliers
Duet Packages
HPC Design Kit
Embedded Test & Repair
Non-Volatile Memory
< Silicon IP Products
< Silicon IP Products
Processor Solutions
ARC Processor IP
Embedded Vision Processor IP
Development Tools
Operating Systems
Ecosystem
ASIP Tools
< Silicon IP Products
< Silicon IP Products
< Silicon IP Products
< Silicon IP Products
< Silicon IP Products
< overview
Silicon IP Products
+
Interface IP
+
Memories & Libraries
+
Analog IP
+
Processor Solutions
+
IP Subsystems
+
Security IP
+
Market Segments
+
IP Accelerated
+
SoC Infrastructure IP
< Solutions
< Resources
< Services
< Services
< Services
< Community
Community
Community Overview
< Community
< Community
< Community
< Community
< Community
< Community
< Community
< overview
Community
+
Community
+
SNUG
+
Partners
+
EmbARC.org
+
Interoperability
+
Academic Programs
+
Company Blogs
+
BSIMM
< overview
Software Integrity
< Tools & Services
< Tools & Services
Professional Services
Strategy and Planning (BSIMM)
Architecture & Design
DevSecOps Integration
Cloud Security
Industry Solutions
< Tools & Services
Open Source Audits
< overview
< Training & Education
< Training & Education
Product Education
< overview
< Solutions
< Solutions
< Resources
< Resources
< Support
< Support
Contact Support
< Partners
< main menu
Software Integrity
+
Software Integrity
+
Tools & Services
+
Training & Education
+
Solutions
+
Resources
+
Support
+
Partners
< About Us
< About Us
< About Us
< About Us
< About Us
< About Us
Software Integrity
Learn how to customize the OWASP Top 10 to fit your firm
Posted by Synopsys Editorial Team on October 1, 2017
A list of critical web application security vulnerabilities is a necessary risk management tool. Equally true is that each organization has a different set of vulnerabilities plaguing their applications. To complete a trifecta of fundamental truths, crowdsourced lists such as the OWASP Top 10 rarely reflect an individual organization’s priorities.
Given all that, many organizations continue to download the OWASP Top 10 and try to use it to guide their software security efforts. Since this likely won’t achieve the desired result, why not use it as inspiration to create your own evidence-based, customized list?
Why is a customized vulnerability list so important?
Identifying the vulnerabilities most prevalent in your organization’s applications provides real data. Data that encourages your development and security teams to actively improve their skills and processes. However, creating a satisfactory Top N list requires more than simply sorting one day’s or one application’s bug data.
Building a list from the results of code review, various security testing methods, and actual incidents experienced by your firm and/or industry allow you to craft a holistic vulnerability list. You’ll then be better prepared to drive change that reduces risk in your organization.
Customize your own comprehensive Top N list in 4 steps
Step 1: Gather vulnerability data
To understand what you’re up against, you’ll first need to gather web application vulnerability data for a given period. Go back as far as you can with the technologies you have. Six months of data should be a minimum benchmark. Obtaining such data is easier to gather if your firm tracks security bugs in a central repository.
If no repository currently exists, identify sources that contain vulnerability data. Collect reports associated with these sources. Next, extract the vulnerabilities into a spreadsheet or another data store.
Step 2: Normalize the vulnerability data
Normalizing the vulnerability data ensures that each vulnerability instance is only counted once per application. You don’t want one bug-filled application to skew your results.
Step 3: Create a vulnerability frequency table
Using the normalized vulnerability data, create a frequency table to list the number of times a given vulnerability was identified.
Step 4: Consider additional risk factors
Once you have vulnerability frequency data, add analysis for detectability, exploitability, and the impact. For each vulnerability in your list, also add a score for each risk factor.
This eBook guides you through the process of:
- Identifying the vulnerabilities most prevalent in your organization’s applications
- Customizing your own comprehensive Top N list in four manageable steps
- Driving change that reduces risk in your organization
Set yourself apart.
This post is filed under OWASP, Security Risk Assessment, Threat Intelligence, Vulnerability Assessment.
More by this author
Subscribe via Email
Get the latest Software Integrity news, thought leadership, and more.
Categories
- Agile Methodology
- Application Security
- Automotive Security
- Black Duck by Synopsys
- Blockchain Security
- CI/CD
- CISO
- Cloud Security
- Code Review
- Containers
- Cryptography
- Customer Success
- Data Breach
- DevOps
- DevSecOps
- Dynamic Analysis (DAST)
- eLearning
- Embedded Software Testing
- Ethical Hacking
- Featured
- Financial Services Security
- Fuzz Testing
- GDPR
- Government Security
- Hacking Security
- Healthcare Security
- Industrial Control System Security
- Infographic
- Insider Threat Detection
- Insurance Provider Security
- Interactive Application Security Testing (IAST)
- Internet of Things
- JavaScript Security
- Legal
- Maturity Model (BSIMM)
- Medical Device Security
- Mobile Application Security
- Network Security
- Open Source Governance
- Open Source Licenses
- Open Source Security
- OWASP
- Penetration Testing
- Privacy
- Red Teaming
- Runtime Application Self-Protection (RASP)
- Secure Coding Guidelines
- Security Architecture
- Security Conference or Event
- Security Metrics
- Security Risk Assessment
- Security Standards and Compliance
- Security Training
- Smart Grid Security
- Software Architecture and Design
- Software Composition Analysis
- Software Development Life Cycle (SDLC)
- Software Quality
- Software Security Program Development
- Software Security Testing
- Software Testing Optimization
- Static Analysis (SAST)
- Synopsys Culture
- Threat Intelligence
- Threat Modeling
- Uncategorized
- Vendor Risk Management
- Vulnerability Assessment
- Web Application Security
- Weekly Security Mashup