What is OWASP

The Open Web Application Security Project (OWASP) is a prominent, non-profit international organization dedicated to enhancing the security of web applications. One of OWASP’s foundational beliefs is in making their resources readily available for free on their website. With its vast membership and multiple chapters worldwide, OWASP has established itself as a trusted source for vital web application and API security insights.

Every developer, regardless of their expertise, should invest time in understanding potential code vulnerabilities to prevent problematic and often expensive security mishaps. So, what exactly is the OWASP Top 10?

OWASP updates and releases its list of the top 10 most critical web application vulnerabilities every few years. This list not only outlines the main threats as per OWASP but also delves into the potential consequences of each vulnerability and methods to mitigate them. This extensive list is curated with input from various experts, including security consultants, vendors, and corporate security teams. It stands as a gold standard for best practices in web application security.

In 2021, OWASP introduced a new version of the Top 10, which saw the inclusion of three fresh categories, modifications in the naming and scope of four categories, and certain consolidations.

While the primary objective of the OWASP Top 10 is to foster awareness, since its inception in 2003, businesses have adopted it as an informal benchmark for application security. A closer look at the document reveals references to several associated CWEs (Common Weakness Enumeration).

OWASP Top 10

OWASP Top 10 Entry
Broken Access Controls
Cryptographic Failures
Injection
Insecure Design
Security Misconfiguration
Vulnerable and Outdated Components
Identification and Authentication Failures
Software and Data Integrity Failures
Insufficient Logging and Monitoring
Server-Side Request Forgery (SSRF)
Remediation
- Adopt a least privileged approach.
- Delete inactive accounts.
- Audit server and website activity.
- Disable unnecessary access points.
- Shut down unneeded services.
- Turn off autocomplete on data-collecting forms.
- Minimize data exposure.
- Encrypt data in transit and at rest.
- Use up-to-date encryption techniques.
- Disable caching on data-collecting forms.
- Use strong, salted hashing functions for passwords.
- Segregate commands from data.
- Use parameterized queries or prepared statements.
- Use safe APIs.
- Implement positive server-side validation and intrusion detection.
- Use a secure development lifecycle with AppSec professionals.
- Use a library of secure design patterns or components.
- Apply threat modeling.
- Include security controls in user stories.
- Integrate plausibility checks.
- Divide tiers based on exposure and protection needs.
- Limit resource consumption.
- Use preconfigured templates for deployment.
- Use segmented application architectures.
- Deploy minimal platforms.
- Continuously monitor for misconfigurations and remediate in real-time.
- Manage all integrated components.
- Ensure comprehensive scanning for vulnerabilities.
- Use a scanner that can auto-discover components.
- Ensure scanning against a comprehensive vulnerability database.
- Automate patch management workflows.
- Implement multi-factor authentication.
- Avoid default credentials.
- Enforce strong passwords.
- Monitor failed login attempts.
- Use secure session management.
- Use digital signatures for authenticity and integrity.
- Implement a review process for code/configuration changes.
- Use trusted repositories for libraries/dependencies.
- Ensure a secure CI/CD pipeline.
- Ensure integrity checks for transmitted data.
- Use logging and audit software to detect suspicious activities.
- Harden security policies and controls based on detected intrusions.
- Implement input validation.
- Use Regular Expressions (RegEx) for validation.
- Accept only the intended IP address format.
- Validate domain names.
- Consult the OWASP Cheat Sheet Series for additional guidance.