Open Web Application Security Project Top 10 (OWASP Top 10)

What is OWASP?

The Open Web Application Security Project (OWASP) is a non-profit group that helps organizations develop, purchase, and maintain trustworthy software applications. It was initially created as a project to define an industry standard testing methodology for the security of Web applications. The project continues to define security recommendations, specifications, and explanations in key areas.

Security professionals can incorporate OWASP recommendations into their work. Security vendors can base products and services on OWASP standards. Consumers can use the standards as a baseline for testing applications or services they utilize.

What is the OWASP Top 10?

The OWASP Top 10 is an awareness document for Web application security. The list represents a consensus among leading security experts regarding the greatest software risks for Web applications. These risks are based on the frequency of discovered security defects, the severity of the vulnerabilities, and the magnitude of their potential business impact. The OWASP Top 10 also has a variety of remediation guidelines encouraging developers to mitigate vulnerabilities and code defensively.

OWASP has maintained the Top 10, as it is also known, since 2003. It was originally created to help organizations establish a starting point, determining if their security infrastructure is prepared to stand up against the top threats. The list continues to serve as a key checklist and internal Web application development standard for many of the world’s largest organizations.

The list is updated every two or three years to balance the tempo of changes taking place in the AppSec market. The most recent version was released in 2013. While an update was expected in 2016, it will most likely come out in 2017.

This widely accepted set of Web application vulnerabilities is complemented by a set of secure coding and testing guidelines. Mapping application security to the OWASP Top 10 is also a widely accepted best practice. Many entities including the PCI Security Standards Council, National Institute of Standards and Technology (NIST), and the Federal Trade Commission (FTC) regularly reference the OWASP Top 10 as an integral guide for mitigating Web application vulnerabilities and meeting compliance initiatives.

What problems does the OWASP Top 10 solve?

Auditors often view an organization’s failure to address the OWASP Top 10 as an indication that it may be falling short with regards to compliance standards. Integrating the Top 10 into its software development life cycle (SDLC) demonstrates an overall commitment to industry best practices for secure development.

Most Web application attacks aren’t considered to be difficult. Hackers take advantage of vulnerabilities that experts have been aware of for years. Vulnerabilities like cross-site scripting (XSS) and SQL injection often appear in industry-valued lists such as the CWE/SANS Top 25 Most Dangerous Programming Errors. Even a single instance of one such vulnerability can be used time and time again by hackers as an initial attack vector.

It’s also important to note that the OWASP Top 10 isn’t compliance-oriented. Rather, it’s a list of things that could go wrong. Organizations seeking to use this list might incorporate it into developer education programs. This ensures that developers understand how to correct these 10 specific vulnerabilities. After all, security teams often use the Top 10 as a checklist when conducting vulnerability assessments, scouring new and modified apps for these issues. Additionally, many automated vulnerability scanners allow report generation that’s specifically tailored to this list.

Why is it critical to look beyond the OWASP Top 10 to ensure a holistic software security strategy?

The OWASP Top 10 represents the most commonly discovered security defects. Therefore, the inclusion of a vulnerability in the list depends on the tools in use to discover vulnerabilities. If certain types of vulnerabilities exist in the code but aren’t discovered by the tools, they won’t be represented in the list—regardless of their risk level.

In other words, the list identifies most commonly identified, critical risks threatening Web application security. It isn’t a comprehensive list of all software problems. All in all, the Top 10 offers a sneak peek into the problems plaguing Web application security. However, the awareness document doesn’t frame the big picture when it comes to security. Even if you’ve eradicated all ten items within your software, if the Top 10 are all you’re identifying and mitigating, there’s a great chance that your software is still highly vulnerable. The creators of the list themselves tell the same story.

It’s a good practice to conduct a threat model or an architecture risk analysis of the application before it is coded. Another good practice is to review the application as it is being built using secure code analysis techniques. Once the application is built, an in-depth Web application penetration test is another way to follow up the OWASP Top 10. Manual penetration tests allow for a more thorough investigation of the Web application to find vulnerabilities that may not be present in the list.