The OWASP Top 10 is one of OWASP’s most popular and well-received security resources for engineers. The non-profit organization has identified the ten most crucial security risks for web applications and common exploits used by hackers. Many developers regard it as an essential guide to secure software development.

In this post, we help you understand the OWASP Top 10, the organization behind it, why it’s essential, and how to make your organization more secure.

What Is OWASP?

The Open Web Application Security Project (OWASP) is a non-profit organization that helps the tech community improve software security by providing tools and knowledge. As a non-profit organization, it makes all of its resources (including articles, methodologies, documentation, tools, and technologies) freely available to anyone interested in keeping their web applications secure.

The OWASP TOP 10

The OWASP Top 10 is a list of web application security risks. Using this list is an efficient and effective way to support secure software development protocols within your business.

Below, we’ve outlined the OWASP Top 10 and provided a closer look at each element:

A1:2017-Injection

Injection occurs when an attacker injects code into a query sent to the back-end application, and the end-user unknowingly executes it. Attackers use this strategy to execute commands provided via the application programming interface (API). Prevent injection attacks by using object-relational mapping (ORM) tools.

A2:2017-Broken Authentication

Hackers could access and assume the identity of another user if they discover broken authentication vulnerabilities. This situation most often arises when using improper or misconfigured authentication protocols. Ensure that your users have strong passwords and that your logins limit failed attempts.

A3:2017-Sensitive Data Exposure

Hackers frequently attempt to steal data during transmission from a user’s browser. Set up a secure communication channel to prevent an attack like this one. Enforcing transport layer security (TLS) in web applications is a quick way to solve this problem.

A4:2017-XML External Entities (XXE)

Applications supporting XML or XML uploads are vulnerable to XML external entities (XXEs), especially from unreliable sources. Hackers can use external entities to access sensitive information or launch a denial of service (DoS) attack by including a never-ending file.

Disable XML entity processing in XML parsers to prevent this type of attack. You can also use simpler data formats.

A5:2017-Broken Access Control

You should silo your data on a need-to-know basis and manage access at the user level. When access controls break, unauthorized persons may have access to sensitive information, and this problem can lead to lower-level users accessing administration controls.

A6:2017-Security Misconfiguration

Hackers are well-versed in the majority of security flaws and how to exploit them. These exports can include open ports, default accounts, passwords, mishandling errors, and more. To ensure proper security configuration, utilize automatic scanners routinely.

If you don’t want to invest in automated scanners, mitigate risk by having a patch management process in place and remove unused features and files to eliminate unnecessary code.

A7:2017-Cross-Site Scripting XSS

Hackers can also inject HTML or JavaScript code into a web application. This process is known as cross-site scripting (XSS). Improper data input validation protocols usually cause XSS vulnerabilities. Most modern frameworks have built-in systems that automatically avoid XSS.

A8:2017-Insecure Deserialization

A vulnerable application doesn’t correctly deserialize external or tempered objects. When this happens, hackers can then manipulate the data that the back-end code receives. The simplest and safest way to avoid insecure deserialization is to refuse serialized objects from untrusted sources.

A9:2017-Using Components with Known Vulnerabilities

External code, such as libraries, modules, and components, will have the same privileges as your site or application. Ensure that any external code you use in your app is current and secure.

Monitor your external components at all times for vulnerabilities. You can use automated tools to notify you when discovered.

A10:2017-Insufficient Logging & Monitoring

You can’t fix something if you don’t know that it’s broken. Attackers can access your system or hack into sensitive data if you don’t monitor your application closely enough.

How do you know if your app has enough eyes on it and collects enough data to address any unwanted access issues quickly? Examining penetration testings logs is the most efficient method for accomplishing this task.

How to use the OWASP Top 10

Most of the companies that use Haekka for training use the OWASP Top 10 as a means of setting a baseline for secure software development and technical operations. The most common approach is to auto-assign new engineering hires to train on the OWASP Top 10 as a part of onboarding. Then, on some regular cadence, engineering hires review the OWASP Top 10 or use supplemental material such as the OWASP cheat sheets.

There's an updated version of the OWASP Top 10 currently under review. This new version has a lot of overlap with the 2017 version.

At Haekka, we recently updated our version of the OWASP Top 10 course. The new course includes all the material from OWASP, as well as videos and quizzes, and all delivered in Slack. Register for a demo today.