What is OWASP and the OWASP Top 10?
The Open Web Application Security Project (OWASP) is a non-profit organization dedicated to providing unbiased, practical information about application security. The OWASP Top 10 represents a broad consensus on the most critical web application security flaws. The errors on this list occur frequently in web applications, are often easy to find, and easy to exploit. They are dangerous because they will frequently allow attackers to completely take over your software, steal data, or prevent your software from working at all.
Meeting OWASP Compliance Standards is the First Step Toward Secure Code
Web application attacks are now the most frequent pattern in confirmed breaches (2016 Verizon Data Breach Investigations Report). Yet many organizations struggle to implement an application security program because they simply don’t know where to start. Setting policies based on eliminating OWASP Top 10 vulnerabilities is an excellent starting point – these vulnerabilities are widely accepted as the most likely to be exploited, and remediating them will greatly decrease your risk of breach. For more details, see The Ultimate Guide to Getting Started with Application Security.
Stat/chart: % of apps that pass
Our research reveals that applications are continuing to emerge in production with OWASP Top 10 vulnerabilities (see chart below), even as the news headlines about data breaches proliferate. One reason for this disconnect is the misconceptions around what application security is, and is not. A one-time scan or pen test of a handful of business-critical apps is not effective application security. A program that continuously assesses the applications an organization builds, buys or assembles — from inception to production — is effective application security. Find out more about application security misconceptions with our Application Security Fallacies and Realities guide.
Stat/chart: internal vs commercial
As development speed has increased, so has the reliance on third-party apps and code. Yet, as the chart below shows, third-party applications also continue to feature a significant number of OWASP Top 10 vulnerabilities. This chart reinforces the fact that organizations should have policies that require third-party software to adhere to the same standards as internally developed software. Many organizations are increasingly turning to outside security experts that can work with their software supply chains to ensure these policies are being met.
Application security affects all organizations in all industries, but our research has found that different OWASP Top 10 flaws are more prevalent in different industries. Organizations should use this information to shift their focus to the most pressing issues facing their particular sector. Check out our State of Software Security: Focus on Industry Verticals for details.
A Guide to Testing for the OWASP Top 10
As software increases in importance, and breaches continue to proliferate through the application layer, organizations will need a new approach to security. An application security program that uses a mix of technologies and services to secure the entire application landscape, and each application throughout its lifecycle, is becoming a necessity. This mix should include:
- Tools and processes that enable developers to find and fix vulnerabilities while they are coding
- Third-party security
- Software composition analysis
- Dynamic analysis
- Static analysis
- Runtime protection
- Web perimeter monitoring
Get started with our Ultimate Guide to Getting Started With Application Security.
VERAFIED Security Mark for the OWASP TOP 10
Although the Veracode Platform detects hundreds of software security flaws, we provide a razor focus on finding the problems that are “worth fixing”. The OWASP Top 10 is a list of flaws so prevalent and severe that no web application should be delivered to customers without some evidence that the software does not contain these errors.
The following table identifies technical flaws found through automated analysis used to achieve the VERAFIED security mark and the additional coverage provided through manual penetration testing to detect business logic and design errors to achieve the VERAFIED HIGH ASSURANCE security mark for the 2013 OWASP Top 10.
|Rank||OWASP Top 10
OWASP urges all companies to be aware of these concerns within their organization and start the process of ensuring that their web applications do not contain these flaws.
|A2||Broken Authentication and Session Management (XSS)||
|A3||Cross Site Scripting (XSS)||
|A4||Insecure Direct Object References||
|A6||Sensitive Data Exposure||
|A7||Missing Function Level Access Control||
|A8||Cross Site Request Forgery (CSRF)||
|A9||Using Components with Known Vulnerabilities||
|A10||Unvalidated Redirects and Forwards||