What is the OWASP Top 10?

The OWASP Top 10 is a standard document for all kinds of developers that covers essential web application security risks every developer should know

Image by David Hablützel from Pixabay

If you have been building web applications for a while you may have heard of the OWASP Top 10, but for those that are new to the hive, this blog should serve as a great tool for your introduction to secure coding and application building. The OWASP Top 10 is globally recognized by developers as the first step toward more secure coding.

Web Application Architecture Needs a Culture Change

Too often we see developers build great and productive web applications but wait until after it’s been built to incorporate security. This is inherently counterproductive, as security risks should be observed and fixed prior to the application being pushed to production. Going back after your web application has been completed to fix security risks will only take longer to repair as it may require you to rebuild parts of your project. Therefore, organizations should embrace the tips offered in the OWASP Top 10 to ensure their web applications minimize security risks. It is arguably the most effective step towards changing the culture in your organization: Security by design.

The Top 10 Web Application Security Risks

The OWASP Top 10 are determined by The OWASP Foundation through year-round testing of applications to find the most common security risks. The list of the Top 10 Security risks changes every year, but here are the most recent ones:

  1. Broken Access Controls: Buzzing up from 5th in the previous year, broken access controls top the list of security risks set to sting your developers. In OWASP’s recent study it was found that 94% of applications tested had some form of broken access control. This risk allows attackers to access, modify, or perform actions on an application that was not intended by the system like forcing a browser to authenticate pages from an unauthenticated user.
  2. Cryptographic Failures: The 2nd most found security risk is lacking encryption. Having poor encryption in your web application often leads to the exposure of sensitive data like passwords, credit card numbers, health records, and the list goes on. Make sure all data at rest and in transit is encrypted. Click here for more information.
  3. Injection: While 3rd, some form of improper injection was found in 94% of applications tested by The OWASP Foundation. The main risk here is cross-site scripting, SQL Injection, and control of file names and paths. Be sure to incorporate input validation into your applications!
  4. Insecure Design: The 4th most seen risk is a broad category but can be simplified down to lacking security controls. Part of the coding culture change we want to see is developers moving beyond the idea of “shift left” (Moving tasks to earlier in the cycle for earlier testing). This risk starts before the code is written: With an established Secure Development Lifecycle (SDLC) designed by application security experts. If you do not have an SDLC or would like to improve on your existing one, contact QoS today with the information at the bottom of this blog.
  5. Security Misconfigurations: Believe it or not, OWASP found that 90% of applications were misconfigured! While developing your software make sure secure and appropriate hardening is applied across all parts of the application.
  6. Vulnerable and Outdated Components: While only 6th on this list, the coding community ranks this risk near the top because of the possible impacts. Make sure you know all the versions of the components you used to build your application to ensure that they are still supported.
  7. Identification and Authentication Failures: Do not be fooled by this risk sliding from 2nd to 7th, it packs a punch if not handled correctly. Confirming a user’s identity and authentication are paramount. Your web applications should be built to prevent brute force attacks, credential stuffing, and require complex passwords.
  8. Software and Data Integrity Failures: Upholding the Confidentiality, Integrity, and availability (CIA) triad is often the goal for security professionals, read more about it from our previous blog here. Do not rely heavily on plugins, libraries, or content delivery networks (CDNs) when coding applications as this allows for unauthorized access, malicious code, or system compromise. Use digital signatures to verify the data or software was from a trusted, unaltered source.
  9. Security Logging and Monitoring Failures: This is one we often see as an issue during engagements with our clients: Lacking logs of events. Logging and monitoring are critical to identifying breaches! Examples of what to monitor are failed logins and APIs. Also, be sure to securely store and retain your logs for review and investigative purposes!
  10. Server-Side Request Forgery: Modern web applications often fetch remote resources, and developers nascently trust that outreach, but they shouldn’t. Attackers can manipulate the application to request information from an unexpected place, even when a firewall or VPN (Virtual Private Network) is in-place. OWASP has several recommendations for the Network and Application layers to reduce this risk so if you’re interested feel free to click the link at the top of this blog that’s connected to the whole Top 10 list.

We understand the application coding process is already strenuous enough, but these risks are prevalent and should be addressed while the web application is being built, not after. If you are a project manager developing software, ensure your busy coders have these risks on their minds and are incorporating them into their work.

For more information speak with a QoS consultant today, sales@qosconsultingsolutions.com, or reach out through our contact form on our website, www.qosconsultingsolutions.com