OWASP (Open Web Application Security Project) is an open community, whose primary objective is to encourage all organizations in improving their Software Security. Being a non-profitable organization, OWASP is providing free tools, information on Security Standards, books (Application Security Testing, Secure Code Development & Secure Code Review), presentations, documents, videos, cheat sheets, research information, arranges conferences and meeting etc. Anyone interested in application security can go through all the information provided by this open community.
Few insights from the OWASP community on Security Testing:
- As the applications being developed are becoming complex day by day, the difficulty of increasing the measures for achieving application security is also increasing proportionately.
- After enormous research and feedback from various Security experts around the globe, OWASP community is publishing Top 10 vulnerabilities which is a great start for most of the organizations in getting started with their Application Security. The following is the list of OWASP Top 10 publications for 2017, 2013 and 2010
- Top 10 for 2017 – https://www.owasp.org/index.php/Top_10-2017_Top_10
- Top 10 for 2013 – https://www.owasp.org/index.php/Top_10_2013-Top_10
- Top 10 for 2010 – https://www.owasp.org/index.php/Top_10_2010-Main
- As part of above publications, OWASP is also answering the following questions:
- What’s next for Developers?
- What’s next for Security Testers?
- What’s next for Organizations?
- What’s next for Application Managers?
- OWASP Top 10 is providing basic techniques to protect applications from security vulnerabilities and guidance to explore other web application security weaknesses.
- As new flaws are getting discovered and attacks are getting refined, OWASP Top 10 list will be updated on a regular basis to publish the same.
- Don’t rely completely on tools, instead, OWASP suggests the combination of security experts and advanced security testing tools for mitigating the security weaknesses in a cost-effective way.
- Apart from the Top 10 vulnerabilities published by OWASP, there are hundreds of other issues which can affect the overall security of the applications.
OWASP Top 10 selection and prioritization: The following are the different factors considered by OWASP for prioritizing and publishing Top 10 vulnerabilities:
- Exploitation Ratio– The term exploitation is used to represent an attack which is performed to take advantage of a vulnerability. Hence based on the exploitation happened on different vulnerabilities, the OWASP Top 10 vulnerabilities list is getting published.
- Detectability Ratio – Based on the detectability of these vulnerabilities.
- Impact Ratio – Based on the impact of these vulnerabilities when they are exploited by attackers.
- Surveys – Information gathered from various security surveys.
OWASP Top 10 vulnerabilities (published in 2003 – 2017): The following are the Top 10 vulnerabilities published by OWASP in a timely manner:
- OWASP Top 10 – 2017
- A1. Injection
- A2. Broken Authentication
- A3. Sensitive Data Exposure
- A4. XML External Entities (XXE)
- A5. Broken Access Control
- A6. Security Misconfiguration
- A7. Cross-Site Scripting (XSS)
- A8. Insecure Deserialization
- A9. Using Components with Known Vulnerabilities
- A10. Insufficient Logging&Monitoring
- OWASP Top 10 – 2013
- A1. Injection
- A2. Broken Authentication and Session Management
- A3. Cross-Site Scripting (XSS)
- A4. Insecure Direct Object References
- A5. Security Misconfiguration
- A6. Sensitive Data Exposure
- A7. Missing Function Level Access Control
- A8. Cross-Site Request Forgery (CSRF)
- A9. Using Components with Known Vulnerabilities
- A10. Unvalidated Redirects and Forwards
- OWASP Top 10 – 2010
- A1. Injection
- A2. Cross Site Scripting (XSS)
- A3. Broken Authentication and Session Management
- A4. Insecure Direct Object References
- A5. Cross-Site Request Forgery (CSRF)
- A6. Security Misconfiguration
- A7. Insecure Cryptographic Storage
- A8. Failure to Restrict URL Access
- A9. Insufficient Transport Layer Protection
- A10. Unvalidated Redirects and Forwards
- OWASP Top 10 – 2007
- A1. Cross Site Scripting (XSS)
- A2. Injection Flaws
- A3. Malicious File Execution
- A4. Insecure Direct Object Reference
- A5. Cross-Site Request Forgery (CSRF)
- A6. Information Leakage and Improper Error Handling
- A7. Broken Authentication and Session Management
- A8. Insecure Cryptographic Storage
- A9. Insecure Communications
- A10. Failure to Restrict URL Access
- OWASP Top 10 – 2004
- A1. Unvalidated Input
- A2. Broken Access Control
- A3. Broken Authentication and Session Management
- A4. Cross Site Scripting
- A5. Buffer Overflow
- A6. Injection Flaws
- A7. Improper Error Handling
- A8. Insecure Storage
- A9. Application Denial of Service
- A10. Insecure Configuration Management
- OWASP Top 10 – 2003
- A1. Unvalidated Input
- A2. Broken Access Control
- A3. Broken Authentication and Session Management
- A4. Cross Site Scripting
- A5. Buffer Overflow
- A6. Injection Flaws
- A7. Improper Error Handling
- A8. Insecure Storage
- A9. Remote Administration Flaws
- A10. Security Misconfiguration
The following diagram depicts the OWASP Top 10 Vulnerabilities published from 2003 to 2017:
Reference Articles/Websites: The following are the reference articles/websites:
Conclusion: OWASP is a non-profit community, whose primary objective is to encourage respective organizations in implementing Software security. As part of this initiative, OWASP is providing information and tools for free. Though there are hundreds of vulnerabilities, OWASP is publishing top 10 vulnerabilities on a regular basis, which will help the organizations in getting started with their Application Security and taking basic security measures in making their applications secure.
Please leave your questions/comments/feedback below.
Happy Learning 🙂
Arun Motoori (www.QAFox.com)
