The Open Web Application Security Project (OWASP) is a non-profit organization dedicated to providing unbiased, practical information about application security. The OWASP Top 10 represents a broad consensus on the most critical web application security flaws. The errors on this list occur frequently in web applications, are often easy to find, and easy to exploit. They are dangerous because they will frequently allow attackers to completely take over your software, steal data, or prevent your software from working at all.
Meeting OWASP Compliance Standards is the First Step Toward Secure Code
Web application attacks are now the most frequent pattern in confirmed breaches (2016 Verizon Data Breach Investigations Report). Yet many organizations struggle to implement an application security program because they simply don’t know where to start. Setting policies based on eliminating OWASP Top 10 vulnerabilities is an excellent starting point – these vulnerabilities are widely accepted as the most likely to be exploited, and remediating them will greatly decrease your risk of breach. For more details, see The Ultimate Guide to Getting Started with Application Security.
Stat/chart: % of apps that pass
Our research reveals that applications are continuing to emerge in production with OWASP Top 10 vulnerabilities (see chart below), even as the news headlines about data breaches proliferate. One reason for this disconnect is the misconceptions around what application security is, and is not. A one-time scan or pen test of a handful of business-critical apps is not effective application security. A program that continuously assesses the applications an organization builds, buys or assembles — from inception to production — is effective application security. Find out more about application security misconceptions with our Application Security Fallacies and Realities guide.
Stat/chart: internal vs commercial
As development speed has increased, so has the reliance on third-party apps and code. Yet, as the chart below shows, third-party applications also continue to feature a significant number of OWASP Top 10 vulnerabilities. This chart reinforces the fact that organizations should have policies that require third-party software to adhere to the same standards as internally developed software. Many organizations are increasingly turning to outside security experts that can work with their software supply chains to ensure these policies are being met.
Application security affects all organizations in all industries, but our research has found that different OWASP Top 10 flaws are more prevalent in different industries. Organizations should use this information to shift their focus to the most pressing issues facing their particular sector. Check out our State of Software Security: Focus on Industry Verticals for details.
A Guide to Testing for the OWASP Top 10
As software increases in importance, and breaches continue to proliferate through the application layer, organizations will need a new approach to security. An application security program that uses a mix of technologies and services to secure the entire application landscape, and each application throughout its lifecycle, is becoming a necessity. This mix should include:
- Tools and processes that enable developers to find and fix vulnerabilities while they are coding
- Third-party security
- Software composition analysis
- Dynamic analysis
- Static analysis
- Runtime protection
- Web perimeter monitoring
Get started with our Ultimate Guide to Getting Started With Application Security.
OWASP Top 10 Application Security Risks – 2017
- Injection flaws, such as SQL, OS, XXE, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
- Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities (temporarily or permanently).
- Restrictions on what authenticated users are allowed to do are not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users’ accounts, view sensitive files, modify other users’ data, change access rights, etc.
- Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, platform, etc. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date.
- Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser.
- The majority of applications and APIs lack the basic ability to detect, prevent, and respond to both manual and automated attacks. Attack protection goes far beyond basic input validation and involves automatically detecting, logging, responding, and even blocking exploit attempts. Application owners also need to be able to deploy patches quickly to protect against attacks.
- A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. Such an attack allows the attacker to force a victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.
- Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts.