Last Updated on July 11, 2013
Non-secure applications are a problem for nearly every business with an online presence. And the more complex and interconnected your IT infrastructure gets, the harder it can be to secure your applications. The first step for any organization is to eliminate comparatively straightforward security vulnerabilities. That’s what the nonprofit Open Web Application Security Project’s OWASP Top 10 is all about.
The goal of the OWASP Top 10 is to pinpoint the most commonplace and highest-priority application security risks plaguing organizations today, based on statistics from a wide range of IT security organizations. The OWASP Top 10 documents and tools, along with all other OWASP offerings, are available free. If your business needs to comply with PCI-DSS standards, you may be familiar with the OWASP Top 10 because the standard makes reference to it.
This latest 2013 iteration of the OWASP Top 10 marks the project’s tenth anniversary, with a new Top 10 being released every three years. Why a three-year cycle? According to OWASP board member Dave Wichers, “The field does evolve pretty quick but I don’t think the Top 10 risks substantially change every year.” In my opinion, unfortunately that’s true in part because so many organizations haven’t yet addressed these well-publicized risks.
Whatever the sophistication level of your IT security program, you should be making use of the OWASP Top 10. It’s there to help you learn from the mistakes of others, and offers specific guidance on how to mitigate the risks that are almost certainly to some extent present in your applications today. (In my role as a Senior Security Consultant at Pivot Point Security I have never once found an application that didn’t have at least one of these vulnerabilities.)
So what’s new and different in the new 2013 edition of the OWASP Top 10? The only new item is “Using Known Vulnerable Components” (#9), which highlights a vulnerability that formerly was lumped in with “Security Misconfiguration.” Since most web developers make some use of components built by other developers, it’s important to check out security reporting on toolkits, widgets, libraries and so forth. Likewise, it’s important to re-incorporate the latest and most secure versions of components into your applications.
There were no vulnerabilities removed from the 2010 edition for 2013. Instead, to make room for the new #9, two entries (#7 and #9 from 2010) were conflated into a new, higher priority #6 for 2013: “Sensitive Data Exposure.”
What are the most common and risky web application security flaws? Still at #1 for 2013 is “Injection.” Injection flaws can occur when malicious data is sent to a SQL, LDAP or other interpreter as part of a command or query—tricking the interpreter into executing the hacker’s commands or accessing unauthorized data.
Other changes to the list reflect developers’ ongoing efforts to address vulnerabilities. For example, “Broken Authentication and Session Management” moved up from #3 in 2010 to #2 in to 2013 based on greater industry scrutiny around this flaw. Likewise “Cross-Site Request Forgery (CSRF)” dropped in prevalence from #5 to #8, as developers have been focusing on eliminating this risk since it made the OWASP Top 10 six years ago.
You can get a copy of the OWASP Top 10 for 2013 in PDF format here. A couple of tips/takeaways to go with the list:
- The level of risk that your applications present is a function not just of individual vulnerabilities, but also of how hackers can play multiple vulnerabilities off one another to widen the breach. For example, as I described in a recent post on this blog, I was able to exploit a client’s application using OWASP 2010 flaws #5 and #10 in combination to steal users’ passwords undetected.
- Think about some of the ways you can leverage OWASP guidance beyond shaking out your applications; such as for training, or to impress auditors or boost your IT security credibility with clients.
- As they say at OWASP… Don’t stop at 10! Take advantage of the wide range of OWASP resources and other information to help you address application security in your organization.
If you need support figuring out how best to apply knowledge of application security vulnerabilities in your environment, Pivot Point Security is here to help.