Key Points
What is ‘OWASP’?
OWASP is the Open Web Application Security Project, an international non-profit organization dedicated to improving web application security.
It operates on the core principle that all of its materials are freely available and easily accessible online, so that anyone anywhere can improve their own web app security. It offers a number of tools, videos, and forums to help do this – but their best-known project is the OWASP Top 10.
The Top 10
The OWASP Top 10 is a report outlining the most critical risks to web application security. Put together by a team of security experts from all over the world, the list is designed to raise awareness of the current security landscape and offer developers and security professionals invaluable insights into the latest and most widespread security risks.
It also includes a checklist and remediation advice that experts can fold into their own security practices and operations to minimise and/or mitigate the risk to their own apps.
Why you should use it
OWASP updates its Top 10 every two or three years as the web application market evolves, and it is the gold standard for some of the world’s largest organizations.
As such, you could be seen as falling short of compliance and security if you don’t address the vulnerabilities detailed in the Top 10. Conversely, integrating the list into your operations and software development shows a commitment to industry best practice.
And why you shouldn’t…
Some experts believe the OWASP Top 10 is flawed because the list is too limited and lacks context. By focusing only on the top 10 risks, it neglects the long tail. What’s more, the OWASP community often argues about the ranking, and whether the 11th or 12th belong in the list instead of something else.
There is merit to these arguments, but the OWASP Top 10 is still the leading forum for addressing security-aware coding and testing. It’s easy to understand, it helps users prioritize risk, and its actionable. And for the most part, it focuses on the most critical threats, rather than specific vulnerabilities.
So what’s the answer?
Web application vulnerabilities are bad for businesses, and bad for consumers. Big breaches can result in huge quantities of stolen data. These breaches aren’t always caused by organizations failing to address the OWASP Top 10, but they are some of the biggest issues. And there’s no point worrying about obscure zero-day flaws in your firewall if you’re not going to block injection, session capture, and XSS.
So what should you do? Firstly, train everyone in better security hygiene. Do dynamic application security testing, including penetration testing. Ensure admins adequately protect applications. And use an online vulnerability scanner.
Go beyond OWASP
Like most organizations, you may already be using a number of different cyber security tools to protect your organization against the threats listed by OWASP. While this is a good security stance, vulnerability management can be complex and time consuming.
It doesn’t have to be. Intruder makes it easy to develop secure apps by integrating with your CI/CD pipeline to automate discovery of your cyber weaknesses.
You can perform security checks across your perimeter, including application-layer vulnerability checks, including checks for OWASP Top 10, XSS, SQL injection, CWE/SANS Top 25, remote code execution, OS command injection, and more.
Read the latest report for a more in-depth look at the OWASP Top 10. Or if you're ready to discover how Intruder can find the cyber security weaknesses in your business, sign up for a free trial today.
