What is OWASP and the OWASP Top 10?
The Open Web Application Security Project (OWASP) is a non-profit organization dedicated to providing unbiased, practical information about application security. The OWASP Top 10 Web Application Security Risks was updated in 2017 to provide guidance to developers and security professionals on the most critical vulnerabilities that are commonly found in web applications, which are also easy to exploit. These 10 application risks are dangerous because they may allow attackers to plant malware, steal data, or completely take over your computers or web servers.
Meeting OWASP Compliance Standards is the First Step Toward Secure Code
Web application attacks are now the most frequent pattern in confirmed breaches (2016 Verizon Data Breach Investigations Report). Yet many organizations struggle to implement an application security program because they simply don’t know where to start. Setting policies based on eliminating OWASP Top 10 vulnerabilities is an excellent starting point – these vulnerabilities are widely accepted as the most likely to be exploited, and remediating them will greatly decrease your risk of breach. For more details, see The Ultimate Guide to Getting Started with Application Security.
Our research reveals that applications continue to fail OWASP Top 10 policy (see chart below), even though these security vulnerabilities are easy to find and fix. One reason for this disconnect is that developers are not well trained in cybersecurity and secure coding practices. Security teams also have misconceptions around what application security is, and is not. A one-time scan or pen test of a handful of business-critical apps is not effective application security. A program that continuously assesses the applications an organization builds, buys or assembles — from inception to production — is effective application security. Find out more about application security misconceptions with our Application Security Fallacies and Realities guide.
As development speed has increased, so has the reliance on third-party apps and code. Yet, as the chart below shows, third-party applications fail OWASP Top 10 policy more frequently than internally developed apps. This chart reinforces the fact that organizations should have policies that require third-party software to adhere to the same standards as internally developed software. Many organizations are increasingly turning to outside security experts that can work with their software supply chains to ensure these policies are being met.
Application security affects all organizations in all industries, but our research has found that different OWASP Top 10 flaws are more prevalent in different industries. Organizations should use this information to shift their focus to the most pressing issues facing their particular sector. Check out our State of Software Security report for details.
A Guide to Testing for the OWASP Top 10
As software increases in importance, and attackers continue to target the application layer, organizations will need a new approach to security. An application security program that uses a mix of technologies and services to secure the entire application landscape, and each application throughout its lifecycle, is becoming a necessity. This mix should include:
- Tools and processes that enable developers to find and fix vulnerabilities while they are coding
- Third-party security
- Software composition analysis
- Dynamic analysis
- Static analysis
- Runtime protection
- Web perimeter monitoring
Get started with our Ultimate Guide to Getting Started With Application Security.
OWASP Top 10 Web Application Security Risks
Although the Veracode Platform detects hundreds of software security flaws, we provide a razor focus on finding the problems that are “worth fixing.” The OWASP Top 10 is a list of flaws so prevalent and severe that no web application should be delivered to customers without some evidence that the software does not contain these errors.
The following identifies each of the OWASP Top 10 Web Application Security Risks, and offers solutions and best practices to prevent or remediate them.
Injection flaws, such as SQL injection, LDAP injection, and CRLF injection, occur when an attacker sends untrusted data to an interpreter that is executed as a command without proper authorization.
* Application security testing can easily detect injection flaws. Developers should use parameterized queries when coding to prevent injection flaws.
2. Broken Authentication and Session Management
Incorrectly configured user and session authentication could allow attackers to compromise passwords, keys, or session tokens, or take control of users’ accounts to assume their identities.
* Multi-factor authentication, such as FIDO or dedicated apps, reduces the risk of compromised accounts.
3. Sensitive Data Exposure
Applications and APIs that don’t properly protect sensitive data such as financial data, usernames and passwords, or health information, could enable attackers to access such information to commit fraud or steal identities.
* Encryption of data at rest and in transit can help you comply with data protection regulations.
4. XML External Entity
Poorly configured XML processors evaluate external entity references within XML documents. Attackers can use external entities for attacks including remote code execution, and to disclose internal files and SMB file shares.
* Static application security testing (SAST) can discover this issue by inspecting dependencies and configuration.
5. Broken Access Control
Improperly configured or missing restrictions on authenticated users allow them to access unauthorized functionality or data, such as accessing other users’ accounts, viewing sensitive documents, and modifying data and access rights.
* Penetration testing is essential for detecting non-functional access controls; other testing methods only detect where access controls are missing.
6. Security Misconfiguration
This risk refers to improper implementation of controls intended to keep application data safe, such as misconfiguration of security headers, error messages containing sensitive information (information leakage), and not patching or upgrading systems, frameworks, and components.
* Dynamic application security testing (DAST) can detect misconfigurations, such as leaky APIs.
7. Cross-Site Scripting
Cross-site scripting (XSS) flaws give attackers the capability to inject client-side scripts into the application, for example, to redirect users to malicious websites.
* Developer training complements security testing to help programmers prevent cross-site scripting with best coding best practices, such as encoding data and input validation.
8. Insecure deserialization
Insecure deserialization flaws can enable an attacker to execute code in the application remotely, tamper or delete serialized (written to disk) objects, conduct injection attacks, and elevate privileges.
* Application security tools can detect deserialization flaws but penetration testing is frequently needed to validate the problem.
9. Using Components With Known Vulnerabilities
Developers frequently don’t know which open source and third-party components are in their applications, making it difficult to update components when new vulnerabilities are discovered. Attackers can exploit an insecure component to take over the server or steal sensitive data.
* Software composition analysis conducted at the same time as static analysis can identify insecure versions of components.
10. Insufficient Logging and Monitoring
The time to detect a breach is frequently measured in weeks or months. Insufficient logging and ineffective integration with security incident response systems allow attackers to pivot to other systems and maintain persistent threats.
* Think like an attacker and use pen testing to find out if you have sufficient monitoring; examine your logs after pen testing.