The OWASP Top 10 project is the flagship of the Open Web Application Security Project. The OWASP Foundation is a not-for-profit charitable organization that’s mission is to enable organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. The OWASP Top 10 is an awareness document that forms a top 10 list of the most critical security risks based on a global consensus. The list is revised every 3-4 years based on current threats and industry trends. Within the OWASP foundation, several projects aim to make the web safer and more secure, including the OWASP Mobile Top 10 Risks, and the Top 10 Proactive Controls.
What are the OWASP Top 10 Security Risks for 2017?
The OWASP Top 10 Security Risks are subject to regular updates based on a global consensus from contributing organizations. As web application architectures evolved over the past four years, the OWASP foundation has had to enhance its methodology and the top 10 to adapt. This has led to the introduction of three new entries to the top 10, and the merger of two from the year prior. The OWASP Top 10 for 2017 include the following
A1:2017-Injection: Occur when developers use untrusted data from the web user to form a command or query, enabling an attacker to run unintended code or obtain unauthorized access to data.
A2:2017-Broken Authentication: Caused by the insecure implementation of authentication and session management, enabling an attacker to compromise credentials or assume other users’ access to obtain unauthorized access.
A3:2017-Sensitive Data Exposure: Present in applications that do not restrict access to sensitive information and enable an attacker to compromise without appropriate security controls.
A4:2017-XML External Entities (XXE) [NEW]: Occurs in environments that make use of older XML processors and can enable unauthorized access to internal files, open connections, execute code or impact the availability of the application.
A5:2017-Broken Access Control [Merged]: Primarily caused by the implementation of custom access control solutions resulting in the ability for an attacker to access other users’ accounts, data, or perform sensitive operations on another user’s account.
A6:2017-Security Misconfiguration: Commonly the result of default/insecure configuration and verbose error messages, including sensitive information.
A7:2017-Cross-Site Scripting (XSS): Occurs whenever an application includes untrusted data in response without proper validation or encoding, resulting in an attacker being able to execute scripts in the victim’s browser which may lead to unauthorized access.
A8:2017-Insecure Deserialization [NEW]: Similar to A1:2017-Injection, this vulnerability occurs when application deserializes untrusted user data, often leading to remote code execution.
A9:2017-Using Components with Known Vulnerabilities: Typically found when libraries, frameworks and other software used to run the application are not adequately maintained, which may result in data loss or unauthorized access.
A10:2017-Insufficient Logging & Monitoring [NEW]: Often occurs as a result of insufficient logging or ineffective integration with incident response and allows an attacker to maintain access to the compromised environment for a more extended period.
What is the purpose of the OWASP Top 10?
The OWASP Top 10 is the minimum level of coverage. The foundation itself calls out ‘Don’t stop at 10’ on the third page of the OWASP Top 10 document. Don’t stop at ten outlines that there are hundreds of issues that may impact the security of your web applications; we agree, which is why the Packetlabs team will always provide coverage beyond the OWASP Top 10. The OWASP Top 10 is a list of the most severe web application security risks based on a broad array of organizations. They are generally easy to exploit, prevent in customer environments, easy to detect and have a critical impact on the organization if compromised.
When present in a web application, OWASP Top 10 vulnerabilities pose a significant risk and organizations should prioritize addressing them before others given their significant impact. Top 10 risks are often medium to high-risk findings which lead to unauthorized access. It is critical that they are remediated or their risk reduced with compensating controls wherever possible.
How do I test my web applications against the OWASP Top 10?
The risk associated with having OWASP Top 10 Security Risks in your applications cannot be overstated, but how do you know if you have them? Test your applications. It is essential to thoroughly test your applications and identify any/all exceptions to the OWASP Top 10. Proper testing makes use of both manual and automated testing techniques and should be performed by a qualified resource, whether internal or third-party.
Use tools wisely. Security vulnerabilities can be quite complex and deeply buried in code. In many cases, the most cost-effective approach for finding and eliminating these weaknesses is human experts armed with advanced tools. Relying on tools alone provides a false sense of security and is not recommended.
The OWASP Foundation
The OWASP Foundation provides a methodology for performing application security testing, which serves as a great starting place for most assessments. Applications can be tested with static or dynamic test types. Sound confusing? Static testing is an assessment or review of your source code. The purpose is to identify vulnerabilities at a line-of-code level. Dynamic testing occurs when the application is running on a web server. It is the most realistic as it takes into consideration the webserver configuration and the sensitivity of data.
To summarize, the OWASP Top 10 Security Risks should be the starting point for all organizations that run web applications, regardless of whether the information they store or process is sensitive. Sensitive data is not always the target, and the impact of a compromised applications stretches beyond encompassing your customers, clients, readers, and employees. With the ever-increasing number of breaches reported, and the severe consequences via fines, impact to your brand, Application Security Testing must be integrated into your software development lifecycle (SDLC).
At Packetlabs, we test applications every single day and cover a wide range of industries that helps us connect the dots and uncover vulnerabilities in applications that may have been otherwise overlooked until a breach occurred. It is essential to validate the qualifications of the team who perform testing for you to assure your customers and employees that the application is secure. If you have any questions we can help answer, please do not hesitate to contact us. We’d love to learn more about your organization and how we can help.