The Open Web Application Security Project (OWASP) is a not for profit foundation which aims to improve the security of web applications. With an increase in the number of threats to online users, there is a growing need to focus on web application security. OWASP produces a number of applications, tools, learning guides and standards which contribute to the overall health of the internet and help organisations to plan, develop, maintain and operate web apps which can be trusted.
All OWASP projects, tools, documents, chapters and forums are community led and open source, they provide an opportunity to test theories or ideas and seek professional advice and support from the OWASP community. Despite being community driven and focused, they heavily support commercial security technology, help organisations to create and implement security strategies and encourage taking a proactive approach to security. This community focus allows the direction of security to consider all stakeholders. It helps organisations stay competitive and add to their credibility, gives developers more confidence in their code and protects end users data by providing methods for handling their private data.
One of the primary goals of OWASP is to educate developers, architects, managers, designers and organisation’s about the importance of web security and the consequences of neglecting it. The OWASP wiki is backed by the world’s leading security experts and has been supported by nearly two decades of research. OWASP ethical hackers have gathered vulnerabilities from hundreds of organisations and thousands of applications to share knowledge of threats, vulnerabilities and strategies for developing countermeasures. OWASP provides several example applications riddled intentionally with security flaws to train developers to avoid the pitfalls of others who have come before. OWASP will help your organisation to mitigate risk, as well as conduct threat modelling or architectural threat analysis and is therefore an important resource to network and build your security expertise.
OWASP Top 10
OWASP publishes content aiming to raise the awareness of app security and identify important risks relevant to most organisations. One of OWASPs flagship projects is the publication of the OWASP top 10, last updated in 2017 it highlights the top ten security risks across the internet.
- Injection: When untrusted data is interpreted and can be injected into a query such as SQL, OS, NOSQL or LDAP, resulting in the executing of unintended commands or unauthorised access of information.
- Broken Authentication: When user authentication and management is incorrectly handled, attackers can gain access to keys, passwords, session tokens or exploit the system to assume the identity of other users.
- Sensitive Data Exposure: Web APIs which do not protect user sensitive data run the risk of exposing financial, healthcare, PII or other sensitive information. This information requires special care because breaches can lead to identity theft, credit card fraud or other crimes.
- XML External Entities (XXE): Older or misconfigured XML processors evaluate external entities within XML documents, this can be used to disclose to disclose internal files, cause remote code execution, port scanning or denial of service attacks.
- Broken Access Control: Restrictions on authenticated users permissions levels is not always correctly enforced and cause users to access other users accounts, change permissions, view sensitive data and modify their data.
- Security Misconfiguration: The most common issue is simple Security misconfiguration which can include using insecure defaults, incomplete or ad hoc configuration and verbose error message containing sensitive information. All operating systems, frameworks, applications and libraries should be securely configured and patched when it is possible to do so.
- Cross-Site Scripting (XSS): When untrusted data in a new web page is not properly validated or escaped, attackers can use XSS to execute scripts in a users browser to hijack their session, perform unintended site actions or redirect to malicious sites.
- Insecure Deserialization: Flaws in the deserialization of APIs can cause remote code execution, replay attacks, privilege escalation attacks and injection attacks.
- Using Components with Known Vulnerabilities: Application components run with the save level of access as the application itself, therefore if a vulnerability in a component can be exploited it may compromise the applications defences against attacks.
- Insufficient Logging & Monitoring: Without sufficient logging and monitoring of an internal system and an inefficient incident response, attackers can penetrate a system and continue to get access to more systems and extract, tamper or destroy information.
One of the most effective ways security experts analyse their security is through Authentication, Authorisation and Accounting (AAA) security, however this perspective alone is not enough to consider all types of vulnerabilities. The OWASP Top 10 is important because it gives organisations a priority over which risks to focus on and helps them understand, identify, mitigate, and fix vulnerabilities in their technology. Each identified risk is prioritised according to prevalence, detectability, impact and exploitability. If you are becoming more security conscious, then committing to ensure your applications consider each of the top ten risks serves as an ideal starting point for focusing on application security.
Adopting OWASP compliance as part of your software development process and risk management policies will improve the credibility of your organisation. OWASP sets an industry standard of code review guides and frameworks which provide developers documentation for best practice of penetration testing. It also assists developers for implementing their own penetration testing guides and measure risk relative to their specific environments. Conforming to these OWASP standards and getting developers on board with becoming more security conscious will enable your organisation to better handle vulnerabilities and overall improve the quality of your applications.
Join the Open Web Application Security Project
As technology continues to make us all more connected, the complexity and need for application security becomes exponentially harder to address. If you are looking to take your security to the next level, the OWASP community and standards are the perfect place for you to start, you can join today. They will give you insight into which areas of security to pay the most attention to, educate your developers, improve their confidence and give you tools and methodologies to analyse your current technologies to determine strategies for the future.