July 10, 2020

Last Updated on January 15, 2024

You Should Probably Rethink How You’re Using the OWASP Top 10
The legendary Open Web Application Security Project (OWASP) “Top Ten Web Application Security Risks” document has been raising awareness about the most critical web app security vulnerabilities since 2003. It’s undoubtedly the most widely referenced web app security guidance in existence.
It’s also probably the most misused web app security guidance in existence.

Where are teams going wrong with the famous OWASP Top 10? And what should they be doing instead?

To definitively clarify best practices for applying OWASP guidance, including the OWASP Top 10 and OWASP ASVS, we invited Andrew van der Stock to join host John Verry on a recent episode of The Virtual CISO Podcast. Andrew is Senior Application Security Leader at OWASP and a primary contributor to both the Top 10 and ASVS. John is Pivot Point Security’s CISO and Managing Partner.
“The OWASP Top 10 from our perspective is an awareness document,” Andrew flatly states. “So, the things that you need to know to avoid being hacked. It was designed primarily to provide some sort of awareness to security professionals and developers.”
Andrew continues: “Our goal is to give people who are starting out on their application security journey the rough map. Fundamentally, we’re not trying to give people every answer. We’re trying to give them… these are the places you’re most likely to get mugged in.”

So in this realm of “application mugging,” is the OWASP Top 10 the gold standard for guidance?

“It succeeded at being an awareness document, but it also got adopted as the standard,” Andrew cautions. “When I wrote the OWASP Top 10 2007, I put in the front of the piece, ‘This is not a standard; please don’t use it as such. It’s an awareness piece.’ … However, because it’s so approachable—it’s only theoretically ten things… people think, ‘That’s all I need to do.’”
“It’s not—it’s the very start of your journey,” emphasizes Andrew. “If you’re starting your journey, it’s a great start. … If you are on the journey you should probably stop using it and start using the [OWASP] ASVS Level 1 and then work up.”
Andrew notes that the ASVS is “much more developer focused; it’s built around the concept of testing, and so you can use it from the very word ‘Go’.”

John summarizes the differences between the Top 10 awareness document and the ASVS standard: “The OWASP Top 10 are things which we are avoiding. … [The ASVS] is the list of things we should do.”

If your organization does web application development either in-house or through outsourcing, this podcast episode offers best-practice advice you don’t want to miss. Click here to listen to it in its entirety, along with our other cutting-edge podcast content.
If you don’t use Apple Podcasts, you can find all our episodes from The Virtual CISO Podcast here.

Free OWASP ASVS Testing Guide

If you are just learning about OWASP’s testing standard or are considering the best way to prove the security of an application, this guide is meant for you!