The Open Web Application Security Project (OWASP) is an open-source application security community whose goal is to spread awareness surrounding the security of applications, best known for releasing the industry standard OWASP Top 10.
The OWASP community is powered by security knowledgeable volunteers from corporations, educational organizations, and individuals from around the world. This community works to create freely-available articles, methodologies, documentation, tools, and technologies. The OWASP Foundation is a 501(c)(3) charitable organization that supports and manages OWASP projects and infrastructure.
Although the community supports the informed use of security technology, OWASP is not affiliated with any technology company, allowing them to provide high quality information without bias. OWASP advocates approaching application security by considering the people, process, and technology dimensions.
Every few years, OWASP releases the OWASP Top 10, a list of the Top 10 most critical application security risks faced by developers and organizations, with a goal of helping developers and security teams better secure the applications they design and deploy. Because the risks to applications are always evolving, The OWASP Top 10 list is revised each time to reflect these changes, along with the techniques and best practices for avoiding and remediating the vulnerabilities. In addition to the OWASP Top 10 for web applications, OWASP has also created similar lists for Internet of Things vulnerabilities, as well as mobile security issues. The list is compiled by evaluating the overall threat as well as the regularity of the threats faced. Some risks may be rare but when exploited could be fatal, while others are common but easy to guard against. Here’s a quick overview of the list.
SQL Injections are at the head of the OWASP Top 10, and occur when a database or other areas of the web app where inputs aren’t properly santized, allowing malicious or untrusted data into the system to cause harm. SQL injection attacks are simply when data is sent to any form of code interpreter that can be run as a command or in the case of a database – a query. The idea is that the data fools the interpreter into either handing over data that the attacker wants or it executes commands that may be hostile in the environment.
More about SQLi:
Broken Authentication and Session Management vulnerabilities allow anonymous attacks aimed at attempting to steal valuable data, especially Personally Identifiable Information. If authentication or session management protocols have not been implemented properly, they may enable a hostile to steal passwords, session keys or tokens or otherwise assume or exploit a user’s identity.
Cross-Site Scripting, often shortened as XSS, attempts to trick a browser into accepting data that isn’t from a trusted source. Applications that allow user input but don’t have control over output are highly vulnerable to XSS. If successful, XSS allows the attacker to take over a user session, cause damage to a website or force the user to visit another site (often a website hosting further hostile code). There are three different kinds of XSS attacks, referred to as Stored XSS, DOM Based XSS, and Reflected XSS.
More about XSS:
It is important to note that the OWASP Top 10 isn’t a complete list of vulnerabilities, but rather a starting place from which security experts and developers together can build off of.
Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.
Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.