One of the joys of continuing my education is having getting to write a mini-article once a week for my fellow students and instructors. I’ve decided to share some of the better ones here. B.
Given how much modern online activity uses web-based technologies, I am often surprised at how many people in cybersecurity do not know about OWASP . The Open Web Application Security Project (OWASP) is a nonprofit foundation that works to improve the security of software, specifically and especially web-based software and APIs. Their official offices are located in Massachusetts, but they have over 250 local chapters around the world and boast tens of thousands of members.
In infosec circles, OWASP is best known for the OWASP Top 10, an ongoing project detailing the top 10 most critical risks associated with web application security. The current version of the OWASP Top 10 was updated in 2021, shifting the order of items a bit, consolidating others, and adding three new categories compared to the previous version which was released in 2017.
Although OWASP has no official regulatory authority, their Top 10 report serves as an awareness document that incorporates input from developers, computer scientists, and security professionals around the world. As such, it is often referenced as a standard for evaluating web development policies and practices from a security perspective.
The current OWASP Top 10 Web Application Security Risks are as follows (OWASP Foundation, 2021):
- A01:2021 – Broken Access Control
- A02:2021 – Cryptographic Failures
- A03:2021 – Injection
- A04:2021 – Insecure Design
- A05:2021 – Security Misconfiguration
- A06:2021 – Vulnerable and Outdated Components
- A07:2021 – Identification and Authentication Failures
- A08:2021 – Software and Data Integrity Failures
- A09:2021 – Security Logging and Monitoring Failures
- A10:2021 – Server-Side Request Forgery (SSRF)
What is especially valuable about the OWASP Top 10 is that OWASP doesn’t just enumerate risks and weaknesses. They also provide extensive references and tools to educate and train interested parties in how to mitigate web application vulnerabilities. These include an extensive collection of cheat sheets, the OWASP Web Security Testing Guide, and the OWASP Zed Attack Proxy (ZAP), a free, open source alternative to the Burp Suite web application security testing software.
References
Cloudflare. (n.d.). What is OWASP? What is the OWASP Top 10? https://www.cloudflare.com/learning/security/threats/owasp-top-10/
Eastom II, W. C. (2018). Network defense and countermeasures: Principles and practices (3rd ed.). Pearson.
Fortinet. (n.d.). What is OWASP? https://www.fortinet.com/resources/cyberglossary/owasp
OWASP Foundation. (2021). OWASP top ten. https://owasp.org/www-project-top-ten/
OWASP Foundation. (n.d.). About the OWASP Foundation. https://owasp.org/about
OWASP Foundation. (n.d.). OWASP® Zed Attack Proxy (ZAP). https://www.zaproxy.org/
PortSwigger. (n.d.). Burp Suite – Application security testing software. https://portswigger.net/burp