Open Web Application Security Project Top 10 (OWASP Top 10)

What is OWASP?

The Open Web Application Security Project (OWASP) is a non-profit foundation dedicated to improving the security of software. OWASP operates under an ‘open community’ model, where anyone can participate in and contribute to projects, events, online chats, and more. A guiding principle of OWASP is that all materials and information are free and easily accessed on their website, for everyone. OWASP offers everything from tools, videos, forums, projects, to events. In short, OWASP is a repository of all things web-application-security, backed by the extensive knowledge and experience of its open community contributors[i].

What is the OWASP Top 10?

OWASP Top 10 is an online document on OWASP’s website that provides ranking of and remediation guidance for the top 10 most critical web application security risks. The report is based on a consensus among security experts from around the world. The risks are ranked and based on the frequency of discovered security defects, the severity of the vulnerabilities, and the magnitude of their potential impacts. The purpose of the report is to offer developers and web application security professionals insight into the most prevalent security risks so that they may incorporate the report’s findings and recommendations into their security practices, thereby minimizing the presence of these known risks in their applications [i]. 

How does OWASP Top 10 work and why is it important?

OWASP maintains the Top 10 list and has done so since 2003. Every 2-3 years the list is updated in accordance with advancements and changes in the AppSec market. OWASP’s importance lies in the actionable information it provides; it serves as a key checklist and internal Web application development standard for many of the world’s largest organizations.

Auditors often view an organization’s failure to address the OWASP Top 10 as an indication that it may be falling short with regards to compliance standards. Integrating the Top 10 into its software development life cycle (SDLC) demonstrates an overall commitment to industry best practices for secure development [i].

What Is OWASP Top 10? | Synopsys

Figure above, a comparison between 2013 and 2017 versions.

The most recent version was released in 2017 and it included significant changes to the 2013 version, as shown in the figure below. Injection issues remain one of the most vulnerable security issues in the application, and sensitive data exposure rose in importance. Some new issues were added, such as insecure deserialization, and some other issues were merged.

What are the latest OWASP Top 10 categories? What solutions are available? These can be found in the OWASP Top 10 2017 standard.

1. Injection. A code injection occurs when invalid data is sent by an attacker into a web application. The attacker’s intent in doing so is to make the application do something it was not designed to do.

  • Example: SQL injection is one of the most common injection flaws found in applications. SQL injection flaws can be caused by use of untrusted data by an application when constructing a vulnerable SQL call.
  • Solution: Source code review is the best way to prevent injection attacks. Including SAST and DAST tools in your CI/CD pipeline helps to identify injection flaws that have just been introduced. This allows you to identify and mitigate them before production employment [i].
 

2. Broken Authentication.  Certain applications are often improperly implemented. Specifically, functions related to authentication and session management, when implemented incorrectly, allow attackers to compromise passwords, keywords, and sessions. This can lead to stolen user identity and moreii.

  • Example: A web application allows the use of weak or well-known passwords (i.e. “password1”).
  • Solution: Multi-factor authentication can help reduce the risk of compromised accounts. Automated static analysis is highly useful in finding such flaws while manual static analysis can add strength in evaluating custom authentication schemes. Synopsys’ Coverity SAST solution includes a checker that specifically identifies broken authentication vulnerabilities. 
 

3. Sensitive Data Exposure. Sensitive data exposure is when important stored or transmitted data (such as social security numbers) is compromised.

  • Example: Financial institutions that fail to adequately protect their sensitive data can be easy targets for credit card fraud and identity theft.  
  • Solution: SAST tools such as Coverity and SCA tools such as Black Duck Binary Analysis include features and checkers that identify security vulnerabilities that can result in sensitive data exposure. 
 

4. XML External Entities (XXE). Attackers are able to take advantage of web applications that use vulnerable component processing XML’s. Attackers are able to upload XML or include hostile commands or content within an XML document.

  • Example:  An application allows untrusted sources to perform XML uploads.
  • Solution: Static application security testing (SAST) is very helpful at detecting XXE in source code. SAST helps inspect both application configuration and dependencies.
 

5. Broken Access Control. Broken access control is when an attacker is able to get access to user accounts. The attacker is able to operate as the user or as an administrator in the system.

  • Example: An application allows a primary key to be changed. When the key is changed to another user’s record, that user’s account can be viewed or modified.
  • Solution: It is critical to use penetration testing in order to detect unintended access-controls. Changes in architecture and design may be warranted to create trust boundaries for data access [iii].
 

6. Security Misconfiguration. Security misconfigurations are when design or configuration weaknesses result from a configuration error or shortcoming.

  • Example:  A default account and its original password are still enabled, making the system vulnerable to exploit.
  • Solution: Solutions like Synopsys’ Coverity SAST include a checker that identifies information exposure available through an error message [ii]. 
 

7. Cross-Site Scripting (XSS). XSS attacks occur when an application includes untrusted data on a webpage. Attackers inject client-side scripts into this webpage.

  • Example: Untrusted data in an application allow for an attacker to ‘steal a user session’ and gain access to the system.
  • Solution: SAST solutions well versed in data flow analysis can be a great tool to help find these critical defects and suggest remedies. The OWASP website also provides a cheat sheet to best practices to eliminate such defects from your code. For OWASP Top 10 categories like XSS, that also have a Common Weakness Enumerator (CWE), Black Duck will alert teams that this is the weakness that lead to the vulnerability, enabling them to better understand the vulnerability and prioritize their remediation efforts [ii].
 

8. Insecure Deserialization. Insecure Deserialization is a vulnerability where deserialization flaws allow an attacker to remotely execute code in the system.

  • Example: An application is vulnerable because it deserializes hostile objects that were supplied by an attacker.
  • Solution: Application security tools help detect deserialization flaws and Penetration testing can be used to validate the problem [ii].

9. Using Components With Known Vulnerabilities. This vulnerability’s title states its nature; it describes when applications are built and run using components that contain known vulnerabilities.

  • Example: Due to the volume of components used in development, a development team may not even know or understand the components used in their application. This can result in them being out-of-date and therefore vulnerable to attack.
  • Solution: Software composition analysis (SCA) tools like Black Duck can be used alongside static analysis to identify and detect outdated and insecure components in your application [ii]. 
 

10. Insufficient Logging And Monitoring. Logging and monitoring are activities that should be performed to a website frequently, to guarantee it is secure. Failure to adequately log and monitor a site leaves it vulnerable to more severe compromising activities.

  • Example: Events that can be audited, like logins, failed logins, and other important activities, are not logged, leading to a vulnerable application.
  • Solution: After performing Penetration testing, developers can study the test logs to identify possible shortcomings and vulnerabilities.  SAST solutions can also help identify unlogged security exceptions [ii]. 

Create your own OWASP top ten list

Learn more

Other ways Synopsys can help

Coverity SAST + Black Duck SCA

Synopsys’ comprehensive Coverity SAST solution helps provide detailed and actionable remediation advice. Coverity’s seamless integration into your CI/CD pipelines automates testing and helps maintain development velocity. Covering 9/10 OWASP top 10 vulnerabilities, Coverity is a powerful tool in mitigating your OWASP top 10 vulnerabilities.

Paired with Black Duck SCA, which addresses the remaining OWASP vulnerability (A9), Coverity + Black Duck fully protect you from all OWASP vulnerabilities, so you can develop with confidence. For more details, see Coverity’s datasheet

Threat Modeling

We bring to light potential weaknesses in the design of your application. Threat modeling identifies the types of threat agents that cause harm and adopts the perspective of malicious hackers to see how much damage they can do. We look beyond the typical canned list of attacks to think about new attacks or attacks that may not have otherwise been considered.

Threat Models include

  • Assets prioritized by risk
  • Threats prioritized by likelihood
  • Attacks most likely to occur
  • Current countermeasures likely to succeed or fail
  • Remediation measures to reduce the threats

Architecture Risk Analysis (ARA)

Identify flaws within your system designs to improve your security posture. Years of experience have taught us that half of the software defects that create security problems are flaws in design. Simply testing software for security vulnerabilities is insufficient and leaves you vulnerable to attack. 

 

[i] https://owasp.org/www-project-top-ten/

[ii] https://owasp.org/www-pdf-archive/OWASP_Top_10-2017_%28en%29.pdf.pdf

[iii] https://cwe.mitre.org/data/definitions/284.html