Do you use the Open Web Application Security Project (OWASP) Top 10 Project as part of your web security testing program? If not, now’s a great time to get on board. There’s a new version coming out for 2013 that can be an invaluable resource.
The OWASP Top 10 is a consensus of the most critical web application security-related risks. It provides a good framework on the issues to avoid when developing web applications as well as what to look for when testing for security weaknesses.
Currently in the release candidate stage, the OWASP Top 10 2013 has been tweaked to further enhance the web application security cause. Notable changes and improvements include:
The new OWASP Top 10 of 2013 currently reads as follows:
Use the OWASP Top 10 as a good resource for guidance around web application vulnerabilities. Just know that your mileage is going to vary when it comes to actual web security findings and what needs to be (or can be) done to fix the issues. Some security flaws you uncover pose real business risks. Some may exist but not matter in the grand scheme of what you’re doing. Other flaws appearing in the OWASP Top 10 will be non-existent. Your situation is unique and every application you look at is unique. Focus on what matters for your business.
The OWASP Top 10 is great for developers and QA professionals. It’s good for IT and information security. Most importantly, it’s good for business. The important thing is to leverage the OWASP Top 10 in the spirit of which it’s intended. It’s a free, yet invaluable, resource.
Even though the OWASP Top 10 is an invaluable resource which one should follow when auditing a web application, you should not focus on finding web application vulnerabilities which are listed in this list only. The OWASP Top 10 list is to be used as a guideline and contains only the most critical vulnerabilities. There are many other web application vulnerabilities which could be exploited by hackers. Scan your websites and web applications with a web application security scanner such as Netsparker to uncover all other web application vulnerabilities your portals might have.