Introducing Checkmarx Software Composition Analysis (CxSCA)

OWASP Top 10

Ensure your code stays compliant with the latest security guidelines
put forth by the leading regulatory institutions.


Founded in 2001 as an open-source security community centered around the goal of spreading application security awareness, the Open Web Application Security Project (OWASP) is most famous for their OWASP Top 10 which has become the industry gold standard for application security.

Powered by a global network of over 42,000 security-aware volunteers, OWASP members hail from educational and government institutions, large corporations and more. This highly active community produces content, organizes events, and publishes articles, methodologies, tools and technologies which are free and available to everyone. All OWASP projects and events are managed and backed by the OWASP Foundation which is a 501(c)(3) charitable organization.

One of the factors that allows OWASP to produce such high quality application security content without any inherent biases is the fact that OWASP is not affiliated with any specific organization, although it receives support from its active community members.

What is the OWASP Top 10?

First appearing in 2003 and continuing with regular updates, the OWASP Top Ten is a compilation of the Top 10 Most Critical Application Security Risks which is produced with the goal of empowering developers and security teams to ensure that the applications that they build are secure against the most critical risks.

As application security threats are constantly evolving, the current OWASP Top 10 is the 2017. This list includes detailed best practices for both the detection and remediation of vulnerabilities. Building on the success of the original OWASP Top Ten for web applications, OWASP has produced further “Top 10” lists for Internet of Things vulnerabilities and another list for the top Mobile development security risks.

OWASP members compile the lists by examining both the occurrence rate and overall severity of the threat. Certain threats can appear often but are easy to prevent, detect and mitigate while others are potentially deadly but rare when it comes to finding them “in the wild.”

The OWASP Top 10 Vulnerabilities

  1. Injection
    If your application is able to receive user input that goes into a back-end database, command, or call, your app is able to fall to the face of code injection attacks. Injection flaws are a set of security vulnerabilities which occur when suspicious data is inserted into an app as a command or query. Known injection attacks include SQL, OS, XXE, and LDAP. Learn more:
    Knowledge Base:
    SQL Injections
    SQL Injection Tutorial
  2. Broken Authentication
    When an application’s functions are not implemented correctly, the attack surface is open for criminals to easily break in and compromise passwords, session IDs, and exploit other flaws using stolen credentials. Sessions should be unique to each individual user, and without some necessary session management, an attacker can sneak in, disguised as a user to steal tokens and passwords to gain the access it is after.
  3. Sensitive Data Exposure
    Sensitive data exposures may occur when security controls – such as HTTPS – are not implemented correctly, thus leaving a hole for attackers to steal sensitive information such as passwords, payment information, IDs, addresses, and anything else you may have stored which can be of value. Applications should ensure that access be authenticated and data be encrypted. A failure of such may lead to a major privacy violation.
  4. XML External Entities (XXE)
    An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.
  5. Broken Access Control
    A flawed access control may be caused by unenforced user restrictions and this allows attackers to exploit and access unauthorized functionality or data. Access control is meant to control what “authorized” users are allowed and not allowed to do within an app, and to establish proper access control, the app must ensure that it is performing solid authorization checks and that proper authentication is in place to tell which users are privileged and which are in fact random internet users.
  6. Security Misconfiguration
    According to OWASP, Security Misconfiguration is the most commonly seen issue. Strong security requires a good and secure configuration set and deployed for apps, frameworks, servers, database, and custom code, and all should be kept up to date. Otherwise, the flaws to come as a result can be exploited by attackers and will allow them to access privileged data. Proper configuration of an application’s entire environment needs to be defined, implemented, and regulated or it may lead to severe security holes.
  7. Cross-Site Scripting (XSS)
    Following a broad disagreement with the previous A7 (which was “Insufficient Attack Protection”), OWASP updated the list and placed Cross-Site Scripting as the updated A7. Cross-Site Scripting, commonly known as XSS, is a vulnerability that is often found in web apps. XSS allows attackers to inject client-side scripts into public facing web pages and, in many cases, can be used by attackers to work their way past access controls.Learn more:
    Knowledge Base: Cross-Site Scripting
    Everyone Talks About Phishing, But No One Blames XSS
  8. Insecure Deserialization
    According to OWASP, “Serialization is the process of turning some object into a data format that can be restored later. People often serialize objects in order to save them to storage, or to send as part of communications. Deserialization is the reverse of that process – taking data structured from some format, and rebuilding it into an object.”
  9. Using Components with Known Vulnerabilities
    Component, including libraries and frameworks, may be taken from the open source community and should be used with caution in case vulnerabilities are lurking. As a vulnerable component is exploited, attackers can leverage it and cause the app serious damage and a major loss of data that can undermine the app, and perhaps even the organization.
  10. Insufficient Logging & Monitoring
    According to OWASP, insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.

What is the OWASP Application Security Verification Standard? with Jim Manico


OWASP Top 10 for IoT Explained

Case Study

How Time Inc. uses CxSAST to Develop Secure Software