Secret ingredients to quality software


Do you stay safe against the OWASP Top 10?

Created on 13 May 2016 | Last updated by Matt Goldman on 26 Nov 2019 05:24 AM (over 1 year ago)

The Open Web Application Security Project (OWASP) is a non-profit charity organization whose sole purpose is to enable other organizations to develop applications that can be trusted.  Their most prominent piece of literature is the OWASP Top 10 – a list of the most critical risks found in software.  It is a “living” list, which means it is updated as vulnerabilities become known and more or less common.

OWASP Top 10 2017

The current OWASP Top 10 states the following are the top risks for web applications today. Knowing and securing against these will give the biggest bang-for-buck in securing your website.

  • Injection : Being able to execute arbitrary SQL, LDAP or other code via your application
  • Broken authentication and session management : Exploiting weak login and session management.  See our other rules to better security
  • **Sensitive data exposure: ** Storing sensitive data in a way that can easily be retrieved and abused
  • XML External Entities (XXE): Exposing internal files or sensistive information through poorly configured external entity references in XML documents
  • Broken Access Control: Exploiting poorly enforced authentication rules to access unauthorised data
  • **Security Misconfiguration: ** Insecure default configurations, misconfigured HTTP headers and verbose error messages containing sensitive information
  • Cross-site scripting (XSS) : Executing arbitrary JavaScript on a web page, often by reflecting unescaped user input
  • Insecure Deserialization:  Not securing or sanitisng deserialisation can lead to remote code execution or other payload attacks
  • **Using components with known vulnerabilities: ** Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks
  • Insufficient Logging & Monitoring: Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring

**Other Resources **

Protecting against these is a large topic in their own right.  There are plenty of resources with information on protecting against these, linked below:

  • Troy Hunt – Protecting your web apps from the tyranny of evil with OWASP This video goes through the OWASP Top 10 in more detail, describing each risk, how to exploit it, and how to protect against it
  • OWASP Top 10 The OWASP home page is a little difficult to navigate but contains fantastic information on the risks and how to protect against them. Use the link above to get details on each of the vulnerabilities, with examples on attacking, “Cheat Sheets” for prevention and risk/impact assessment.
Steve LeighSteve Leigh

We open source. This page is on GitHub