Do you use the Open Web Application Security Project (OWASP) Top 10 Project as part of your web security testing program? If not, now's a great time to get on board. There's a new version coming out for 2013 that can be an invaluable resource.
The OWASP Top 10 is a consensus of the most critical web application security-related risks. It provides a good framework on the issues to avoid when developing web applications as well as what to look for when testing for security weaknesses.
Currently in the release candidate stage, the OWASP Top 10 2013 has been tweaked to further enhance the web application security cause. Notable changes and improvements include:
- Broadening of URL access control flaws to now include actual application functions
- Expansion and merger of data-in-transit and data-at-rest flaws on both the server side and client side
- Addition of a new category of flaws 'Using Components with Known Vulnerabilities' to include add-on and third-party software components (a common issue that's often overlooked in development and security)
- Re-prioritization of authentication/user session management and cross-site request forgery (CSRF)-related flaws
OWASP Top 10 2013
The new OWASP Top 10 of 2013 currently reads as follows:
- Broken Authentication and Session Management
- Cross-Site Scripting (XSS)
- Insecure Direct Object References
- Security Misconfiguration
- Sensitive Data Exposure
- Missing Function Level Access Control
- Cross-Site Request Forgery (CSRF)
- Using Components with Known Vulnerabilities
- Unvalidated Redirects and Forwards
Use the OWASP Top 10 as a good resource for guidance around web application vulnerabilities. Just know that your mileage is going to vary when it comes to actual web security findings and what needs to be (or can be) done to fix the issues. Some security flaws you uncover pose real business risks. Some may exist but not matter in the grand scheme of what you're doing. Other flaws appearing in the OWASP Top 10 will be non-existent. Your situation is unique and every application you look at is unique. Focus on what matters for your business.
The OWASP Top 10 is great for developers and QA professionals. It's good for IT and information security. Most importantly, it's good for business. The important thing is to leverage the OWASP Top 10 in the spirit of which it's intended. It's a free, yet invaluable, resource.
Go Beyond the OWASP Top 10 for a Complete Web Application Security Audit
Even though the OWASP Top 10 is an invaluable resource which one should follow when auditing a web application, you should not focus on finding web application vulnerabilities which are listed in this list only. The OWASP Top 10 list is to be used as a guideline and contains only the most critical vulnerabilities. There are many other web application vulnerabilities which could be exploited by hackers. Scan your websites and web applications with a web application security scanner such as Netsparker to uncover all other web application vulnerabilities your portals might have.