Developers and security professionals worldwide know and love the Open Web Application Security Project (OWASP) “Top Ten Web Application Security Risks” document. In fact, its creators at OWASP feel that the famous “Top 10” is being overused and incorrectly applied as if it were a standard, which is not its intended purpose.
Who and what is the OWASP Top 10 really for? What’s the recommended alternative and when should you switch?
To illuminate the intent and use cases for both the venerable OWASP Top 10 and the newer OWASP Application Security Verification Standard (ASVS), we invited Andrew van der Stock to be our guest on a recent episode of The Virtual CISO Podcast. Andrew is Senior Application Security Leader at OWASP and a major contributor to both documents. Host John Verry, Pivot Point Security’s CISO and Managing Partner, is a “huge OWASP fan” and long-time user.
According to Andrew, the OWASP Top 10 is intended to be simply an awareness document to help you avoid coding the most blatant and dangerous vulnerabilities into your applications. It tells you what not to do, but offers little guidance on what to do (i.e., building positive controls) or how to test your code.
The OWASP ASVS, on the other hand, is intended to be a definitive reference standard for secure web application development. It offers five levels of increasing security, and is built with modern coding and testing practices in mind.
If you’re just starting out with web app security, the OWASP Top 10 is a good choice because it’s limited in scope and approachable. But once you’re past that newbie stage, it’s time to move to the ASVS.
According to Andrew, “[The ASVS] is much more developer focused; it’s built around the concept of testing, and so you can use it from the very word ‘Go’. From sprint planning sessions, where you’re saying, ‘These are the constraints I need to think about from a security perspective. These are the functional issues that I need to consider,’ the ASVS can help guide you.”
“Every single thing in the ASVS is written as a positive control,” Andrew continues. “So it tells you what to do. It’s designed to be forked and so we make it very easily available on GitHub. You can pull it down and change it to your heart’s content.”
For example, if you’re not doing multifactor authentication, just skip that section and move on. ASVS Level 1 is considered “the bare minimum that all applications should strive for.” It covers “application security vulnerabilities that are easy to discover and included in the OWASP Top 10 and other similar checklists.” But even ASVS Level 1 offers more protection than the Top 10 on its own.
“If you’re doing applications that can kill people, or run the economy, you should absolutely not be using the OWASP Top 10,” Andrew underscores. “You absolutely need to start with ASVS Level 2 and work your way up. If you’re doing command and control software for the military, you actually have to use Level 3. That’s what it’s designed for.”
If your organization is using the OWASP Top 10 today, this must-listen podcast episode could change how you develop and test web applications. Click here to listen to the complete episode, along with our other cutting-edge podcast content.
If you don’t use Apple Podcasts, you can find all our episodes from The Virtual CISO Podcast here.