If you are new to the field of software development, you may be wondering “What is OWASP?” Here is a short primer on OWASP and why it is an important tool in any developer’s arsenal. What does OWASP stand for? It generally refers to the Open Web Application Security Project Top 10 application development risks.
What is OWASP?
OWASP is an international non-profit organization made up of an online community of development professionals who are dedicated to improving the security of software. The group provides security tools and standards, as well as cutting-edge research, in the field of application security. Tools and documentation offered by the group are free to anyone. This organization’s goal is to be an unbiased source for best practices when it comes to web application security with a focus on:
- applications (applications which run in a web browser)
- websites (web pages sharing a common domain name)
- web services (software developed for machine-operable communication across a network; e.g., an Application Programming Interface (API)).
The Open Web Application Security Project Top 10 is the most well-known publication of the organization. This was first published in 2003, and updated every 3 to 4 years. It is a curated listing of the most critical risks related to software security. Updates to the list reflect feedback from development professionals, as well as new risks and new technologies that have emerged since the last iteration. Because of its focus on application security, this standard is commonly referenced in other industry-level standards and protocols such as:
- Payment Card Industry Data Security Standard (PCI-DSS)
- National Institute for Standards and Technology (NIST)
- International Organization of Standardization (ISO)
- Health Insurance Portability and Accountability Act (HIPAA)
- General Data Protection Regulation (GDPR)
Why Use the OWASP Standards?
Another question we are often asked is “Why use the OWASP standards?”. The recommended application security requirements provided by the Open Web Application Security Project Top 10 are used by developers to help avoid common coding vulnerabilities. These vulnerabilities can be introduced into software if it is not secure by design. The Top 10 changes with each new release, but there are some application-level security issues which have remained on the list since its inception. This is a huge concern for developers, as these coding flaws can lead to serious repercussions for organizations and their users. Repercussions such as remote code execution and identity theft. Some of the most recent well-known large data breaches and security incidents were a result of vulnerabilities ranked in the OWASP Top 10. Here are a few examples.
- October 2018: An automated brute force attack known as “credential stuffing” led to the exposure of 14,000 HSCB customers’ personal data due to A2:Broken Authentication.
- November 2018: A8: Insecure Deserialization, a new entry in the OWASP Top 10 in 2017, was found to be impacting Ruby, Java, PHP, and .NET programming languages which could result in malicious code runs.
- February 2019: A “heap buffer overflow flaw,” an example of A1: Injection, left Android phone users exposed to hacking via the viewing of PNG images.
- March 2019: Due to A6: Security Misconfiguration of a MongoDB NoSQL database, an email marketing company exposed 809M customer records.
- March 2019: Facebook reported that it had inadvertently stored user passwords for its Facebook, Facebook Lite, and Instagram platforms in plaintext, a clear instance of A3: Sensitive Data Exposure.
What is on the OWASP Top 10 List?
As you can see, the possible vulnerabilities covered in the OWASP Top 10 – 2017 encompass the full-stack of an application, from backend databases to front-end user interfaces. What is the full list of critical risks included on the OWASP Top 10 – 2017 list? They include:
- A1: Injection
- A2: Broken Authentication
- A3: Sensitive Data Exposure
- A4: XML External Entities
- A5: Broken Access Control
- A6: Security Misconfiguration
- A7: Cross-Site Scripting
- A8: Insecure Deserialization
- A9: Using Components with Known Vulnerabilities
- A10: Insufficient Logging/Monitoring
How are developers supposed to stay on top of an extensive list like the OWASP Top 10- 2017 as they are designing, building, coding and deploying software? That was the very question we asked ourselves at Global Learning Systems as we were designing our award-winning course “Secure Coding with the OWASP Top 10 – 2017.” Our aim was to provide a modularized course that defined “What are the OWASP Standards?” and also focused on the use of the OWASP framework as a tool in secure coding behavior. Therefore we focused on developers in all aspects of the course – hands-on problem solving, language and platform agnostic, coding best practices to mitigate these vulnerabilities and resources that can be used after the course to encourage and enhance continued best practices.
The Open Web Application Security Project Top 10 is the best-known and most popular secure coding standard in use today. It provides guidance for all types of developers – application, mobile application, back-end, embedded systems, and cloud, just to name a few. It is a key tool to have in your development team’s arsenal to ensure the security of your applications, and thus your organization.