Founded in 2001 as an open-source security community centered around the goal of spreading application security awareness, the Open Web Application Security Project (OWASP) is most famous for their OWASP Top 10 which has become the industry gold standard for application security.
Powered by a global network of over 42,000 security-aware volunteers, OWASP members hail from educational & government institutions, large corporations and more. This highly active community produces content, organizes events, and publishes articles, methodologies, tools and technologies which are free and available to everyone. All OWASP projects and events are managed and backed by the OWASP Foundation which is a 501(c)(3) charitable organization.
One of the factors that allows OWASP to produce such high quality application security content without any inherent biases is the fact that OWASP is not affiliated with any specific organization, although it receives support from its active community members.
First appearing in 2003 and continuing with regular updates, the OWASP Top Ten is a compilation of the Top 10 Most Critical Application Security Risks which is produced with the goal of empowering developers and security teams to ensure that the applications that they build are secure against the most critical risks.
As application security threats are constantly evolving, the current OWASP Top 10 is the 2013 version, however the organization plans to release an update in 2017. This list includes detailed best practices for both the detection and remediation of vulnerabilities. Building on the success of the original OWASP Top Ten for web applications, OWASP has produced further “Top 10” lists for Internet of Things vulnerabilities and another list for the top Mobile development security risks.
OWASP members compile the lists by examining both the occurrence rate and overall severity of the threat. Certain threats can appear often but are easy to prevent, detect and mitigate while others are potentially deadly but rare when it comes to finding them “in the wild.”
Below is a quick overview of the OWASP Top 10 List:
1. SQL Injection Attacks
Taking the top spot on the 2013 OWASP Top 10 list are SQL injections. This is a code injection technique used by attackers as they place malicious data into systems and other areas of a web app through deserted inputs thus causing great harm. Simply put, SQL attacks are strings of code which can be commands or queries which have the potential to fool the reviewer into giving the hacker whatever is requested by exposing safeguarded data or by completing commands which may be damaging to the environment.
More about SQLi:
2. Broken Authentication & Session Management
Broken authentication and session management flaws occur when an application’s authentication functions are not implemented correctly, allowing attackers to anonymously exploit a user’s identity through stolen passwords, personal user information, valuable data, session keys, and other incorrect implementations through user credentials.
3. Cross-Site Scripting (XSS) Attacks
Cross-Site Scripting, also known as XSS, occurs when a web browser is fooled into accepting data from a non-trusted source. Applications which allow user input without the ability to control and monitor it are at a high risk for XSS attacks. A successful XSS attack will permit the attacker to control a user session thus letting the attacker cause direct damage to a website by inputting harmful code or to by commanding the user to visit another site which may host further harmful code. There are three different kinds of XSS attacks: Stored XSS, DOM Based XSS, and Reflected XSS.
4. Insecure Direct Object References
Insecure Direct Object Reference develops through authentication which isn’t properly executed, allowing malicious users to gain administrative access to a vulnerable application. Once an attacker accesses the application, they are able to manipulate and shape any type of asset to access secured data they’re not authorized for.
5. Security Misconfiguration
When a security protocol or process is not correctly implemented or followed, Security Misconfigurations are left exposed to be used by attackers to detect weak areas in an application. Through these detected weak areas, attackers are able to access privileged data. To prevent such holes in the application’s security, configuration of the application environment, including servers and platforms, should be established.
6. Sensitive Data Exposure
Data can be leaked through a Sensitive Data Exposure vulnerability which is caused by insecure security controls such as SSL and HTTPS. If not correctly secured, Personally Identifiable Information (including financial details, tax IDs, and passwords) is most at risk. Applications should secure access, encrypt data, and protect the integrity of data in the transport layer. Failing to do so will permit exploitable or weak algorithms to provide access to expired or forged certificates causing a privacy violation.
7. Missing Function Level Access Control
The threat posed when applications don’t run correctly authenticate function level access permissions prior to making the available functionality which shouldn’t be granted.
8. Cross Site Request Forgery Attacks
Cross Site Request Forgery Attacks, also known as CSRF, allow attackers to forge an HTTP request from a victim making it so data - such as cookies and authentication - is exposed. The web browser belonging to the victim is usually used to generate additional requests which will appear as verified to the subject of the attack.
9. Using Components with Known Vulnerabilities Components
When known vulnerabilities in the code exist, components, such as libraries and frameworks delivered from the open source community, shouldn’t be used. Using such components with known vulnerabilities can sabotage an application and possibly an entire organization through giving an attacker easy access to apply an SQL injection, XSS attack, or similar to attempt an application takeover.
Checkmarx Open Source Analysis (OSA) allows organizations to manage, control and prevent the security risks and legal implications introduced by open source components used as part of the development effort.
10. Unvalidated Redirects and Forwards
Unvalidated Redirects and Forwards are caused by social engineering used to mime an existing site which tricks visitors into downloading malware or giving up Personally Identifiable Information.
It is important to know that the OWASP Top Ten does not include a full list of vulnerabilities. The list features a solid start for security experts and developers that they can together build off of.
Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.
Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.