A Beginner’s Guide to OWASP
What is OWASP?
Open Web Application Security Project (OWASP) is a nonprofit foundation that is dedicated to improving web applications security. The vibrant OWASP community has projects, forums, and events aimed at increasing the members’ security preparedness. These efforts are further supported by making all the materials free and easily accessible from their website. It promotes sharing of security expertise through its projects, events, videos, and forums.
How to use OWASP?
Apart from providing materials that can be used to a developers’ understanding of security, OWASP also provides a framework that can be used to evaluate applications’ security. This comes in handy when a company wants to conduct an audit of its applications. You can use OWASP’s top 10 security risks to decide the risks that will require a higher priority.
What is the OWASP Top 10?
Since 2003, OWASP has maintained a top 10 list of the most prevalent threats that members and other participants have been facing. The list is provided as an online doc that can be downloaded from its website. It also contains information on how web applications can be best secured from the listed threats.
The latest version of the top 10 security risks list was released in 2017. The data that will be analyzed to create the next list was collected starting June of 2020 via surveys submitted using Google forms.
The security risks on the list are ranked based on detectability, exploitability, and possible impact on an organization. The data needed to create the list comes from surveys of over 500 cybersecurity experts and over 40 web application security firms. The participants share information on the threats the types of cyberattacks they’ve faced, the frequency of the attacks, and the impact of the attacks on their organizations. They also share information on how they were able to detect the threats, stop the threats and reinforce the security of their applications.
All this information leads to the creation of an exhaustive and reliable list of security risks that can be applied to organizations in all industries.
This list is important because it illuminates the risk that the security experts are concerned about in regards to web applications’ security. This makes it an effective framework that can be used to access an application’s security posture. It is also an effective tool that can assist developers to know which threats they should prioritize when securing their web apps.
Here is the OWASP top ten web application security risks:
This occurs when hostile data is sent to the web application as part of a command query with the intention of accessing the database. These attacks can be prevented by applying parameterized queries, input validation, and stored procedures.
2. Broken authentication
It occurs when functions expose important security credentials to attackers because sessions were not well managed. This can lead to the identities of users being stolen and attackers gaining unrestricted access to the application over a long period of time. Introducing multi-factor authentication helps in restricting access even after the attacker steals access credentials. You can also use brute-force protection to limit attempted login from a single IP address.
3. Sensitive data exposure
This occurs when sensitive data such as financial, health, or personal data are exposed. This can happen during the transmission, query, or data storage in an unsafe environment. These issues can be solved by encrypting the data before transmission and also limiting access to only those who need it to do their job.
4. XML external entities
This occurs when external entities are utilized to exploit poorly configured XML processors. The attacker alters the XML file by including hostile commands that can be used to expose internal files. This can be solved by preventing untrusted sources from altering or uploading XML files. Static application security testing (SAST) can be used to detect this type of attack because it inspects the dependencies as well as the application.
5. Broken access control
This occurs when an authenticated user gains access to parts of the system that they are not supposed to be in. If the permissions are not well configured the user can even have just as much access to the application as the administrator. This can be prevented by performing penetration testing on the application before it goes into production.
6. Security misconfiguration
This occurs when the system’s security is compromised by configurations that don’t take the security-first approach. Examples of this include insecure default configurations or insecure pre-production policies remaining unchanged when transferring the application to a production environment. Static application security testing (SAST) can prevent this threat by checking configurations for information exposure.
7. Cross-site scripting
This occurs when untrusted data is included in an executed web page. An attacker achieves this by altering the client-side scripts to achieve their desired output. It can result in the theft of the session’s data or in the user session being hijacked. OWASP provides a mechanism such as a common weakness emulator (CWE) for detecting such problems.
8. Insecure deserialization
This occurs when flaws in serialization permit remote code execution. Such permissions can also allow an attacker to alter permissions, launch injection attacks and replay attacks. Performing penetration testing can help in neutralizing this threat because it detects potentially dangerous access points.
9. Using components with known vulnerabilities
This occurs when an application is built using components that are vulnerable to attacks. Since the components have the same privileges as the application, any vulnerability they carry translates to vulnerability to the application. This can be prevented by using tools like Black Duck that detect and identify, outdated and insecure components.
10. Insufficient logging and monitoring
Logging and monitoring allow for the evaluation of the application’s health. Failure to audit events makes it hard to detect vulnerabilities in the application. A combination of penetration testing and SAST can help in the identification of unlogged events.
OWASP’s goal is to improve web application security by leveraging the experiences of its members. It has successfully analyzed the risks that its members have been facing and turned them into actionable insight. The OWASP top 10 security risk that is comprised of 10 of the most prevalent threats gives visibility into the state of web application security. When well understood, the information from this foundation can help protect applications from current and future threats.
A CI/CD solution that keeps your application safe