Last Updated on June 2, 2020
Andrew van der Stock is very serious about his espresso and has a darn fine beer palate.
He also happens to be a Senior Application Security Leader at The OWASP Foundation and the original author of The infamous OWASP Top 10.
Be Careful Walking Down Application Street Alone at Night
Not familiar with The OWASP Top 10? Andrew gives, perhaps, the best analogy ever.
He explains the work he and The OWASP Foundation have been doing with The OWASP Top 10 as being designed primarily as an awareness document for security professionals and developers who are starting out on their application security journey.
So, instead of a document of the things that you need to know to avoid being hacked, it’s what he calls a “rough map” in his analogy for the ages:
“It’s not a map like, “Here is New York, here is Atlanta”, but fundamentally, while we are not trying to give people every answer, we are trying to show them ‘here are the places you’re most likely to get mugged in.’”
Nefarious beings skulking around your application?
It’s an “application mugging”!
So, is The OWASP 10 the Gold Standard?
The OWASP Top 10 is constantly evolving and probably the most referenced document in the world when it comes to application security.
It lists the 10 most significant vulnerabilities at that particular point in time that people should be cognizant of and try to avoid.
There are different user communities using it as a reference point for highlighting the vulnerabilities at a particular point in time.
People who are writing code, developers, people like us that are testing applications on their behalf, etc. I was particularly interested to hear Andrew’s take on who he thinks is using it and how he ultimately intended for it to be used.
Here is a breakdown:
- 15 years ago it was for application security teams and they were telling, not asking developers how to do things.
- He considers it, all in all, a bit of a fail.
- While the content is always evolving, the core of what the document is, is not.
- He doesn’t consider it the “gold standard”. He considers it a valuable awareness piece.
“When I wrote the OWASP 10 in 2007, I put it to the front of its piece. This is no standard piece. Don’t use it as such. It’s an awareness piece. And I’ve been very consistent about that for a long time. However, because it’s so approachable, it’s only theoretically 10 things in there. There’s 43 of them in there. People think “that’s all I need to do” But it’s not. It’s the very start of your journey.” – Andrew Van der Stock
Next level considerations to take on as you progress on your journey
Andrew and the team at the OWASP Foundation have developed the Application Security Verification Standard (ASVS), which is much more developer (and assessment) focused.
Now, there are a lot of things in there, and Andrew is the first one to say It can be overwhelming. His recommendation is this:
Firstly, it’s built around the concept of testing, so it’s a great guide.
Where the Top 10 is mostly what not to do (or where not to go, from the rough neighborhoods analogy above), the ASVS is the opposite. Every single thing in the ASVS is written as a positive control. So, it tells you what to do.
When should you absolutely be using ASVS?
Well, that got our attention.
Andrew advises starting with ASVS Level 2 and working your way up, for applications that involve human lives being at stake or the economy.
ASVS Level 3 is appropriate for doing command and control software for the military, which is exactly what it’s designed for. He explains that Level 3 has a level of “paranoia” that is built-in.
For example, it assumes bad code. It assumes Easter eggs. It assumes that people will attack your memory. Things that just don’t happen for most apps, ASVS cares about, very deeply, at Level 3.
Another case for Level 3?
If you’re doing medical device software that needs to be resilient, you should do Level 3 selectively, because there are areas where you need to be very, very cognizant of if your software fails because of a security issue, you’re going to kill people.
And here is Andrew’s bold statement, urging people to not rely on The Top 10 for all situations.
“That is not the top 10, it’s never been the top 10.”
The OWASP Top 10, as useful and accessible as it is, is not stringent enough for the needs that arise from the majority of commercial applications.
This post is based on The Virtual CISO podcast hosted by John Verry and featuring special guest, Andrew van der Stock
To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.
If you don’t use Apple Podcasts, you can find all our episodes here.