Skip to content

Intro to OWASP

Estimated time to read: 7 minutes

OWASP stands for Open Web Application Security Project. It is a nonprofit foundation that works to improve the security of software. Through community-led open-source software projects, hundreds of local chapters worldwide, tens of thousands of members, and leading educational and training conferences. The OWASP Foundation provides the tools for developers and technologists to secure the web.

The OWASP Top 10 is a standard awareness document for developers and web application security engineers. The list is updated regularly to reflect the latest security threats. It represents a broad consensus about the most critical security risks to web applications. Globally recognised by developers as the first step towards more secure coding. The latest version of the OWASP Top 10 was released in 2021. There are three new categories, four categories with naming and scoping changes, and some consolidation in the Top 10 for 2021.

The top three risks are

Broken Access Control - This category has moved up from the fifth position and had more occurrences in applications than any other category. Cryptographic Failures - This category has shifted up one position to #2 and was previously known as Sensitive Data Exposure. Injection - This category has slid down to the third position and includes Cross-site Scripting in this edition.

The rest of the risks

Insecure Design - This is a new category for 2021, with a focus on risks related to design flaws.

Security Misconfiguration - This category has moved up from #6 in the previous edition.

Vulnerable and Outdated Components - This category was previously titled Using Components with Known Vulnerabilities and moves up from #9 in 2017.

Identification and Authentication Failures - This category was previously Broken Authentication and is sliding down from the second position.

Software and Data Integrity Failures - This is a new category for 2021, with a focus on risks related to data tampering or unauthorised changes to the software.

Security Logging and Monitoring Failures - This is a new category for 2021, with a focus on risks related to insufficient logging and monitoring of security events.

Server-Side Request Forgery (SSRF) - This category focuses on risks related to server-side request forgery attacks.

The current version of the OWASP

A01:2021-Broken Access Control

  • Insecure direct object references
  • Security misconfiguration
  • Broken object level authorisation
  • Abuse of privileges
  • Insufficient logging and monitoring

A02:2021-Cryptographic Failures

  • Use of weak cryptography
  • Insufficient key management
  • Insecure cryptographic storage
  • Side channel attacks

A03:2021-Injection

  • SQL injection
  • NoSQL injection
  • OS command injection
  • LDAP injection
  • XML injection

A04:2021-Insecure Design

  • Security misdesign
  • Security architecture flaws
  • Insecure defaults and configurations
  • Insufficient security controls

A05:2021-Security Misconfiguration

  • Insecure defaults and configurations
  • Missing security controls
  • Insufficiently protected data
  • Application security misconfiguration
  • Vulnerable and out-dated components

A06:2021-Vulnerable and Outdated Components

  • Using Components with Known Vulnerabilities

A07:2021-Identification and Authentication Failures

  • Vulnerable passwords and password storage
  • Insufficient session management
  • Broken authentication and session management
  • Cross-site request forgery (CSRF)

A08:2021-Software and Data Integrity Failures

  • Insecure deserialisation
  • Using components with known vulnerabilities
  • Code injection
  • Insufficient validation of untrusted input

A09:2021-Security Logging and Monitoring Failures

  • Insufficient logging and monitoring
  • Failure to log key security events
  • Insufficient analysis of security logs
  • Incomplete or misleading security logs

A10:2021-Server-Side Request Forgery (SSRF)

  • Unvalidated or unfiltered HTTP requests
  • Cross-site request forgery (CSRF)
  • Proxy-based attacks
  • Server-side request forgery (SSRF)

Security metrics

  • CVE stands for Common Vulnerabilities and Exposures. It is a list of publicly disclosed security vulnerabilities in various software applications and operating systems. It is a list of known software vulnerabilities. CVEs are assigned by a non-profit organisation called MITRE.

  • CWE stands for Common Weakness Enumeration. It is a community-developed list of common software and hardware weaknesses that can lead to security vulnerabilities. CWEs are also assigned by MITRE.

  • CVSS stands for Common Vulnerability Scoring System. It is a standard for assessing the severity of computer system security vulnerabilities. CVSS scores range from 0 to 10, with 10 being the most severe. The National Vulnerability Database (NVD) provides CVSS scores for almost all known vulnerabilities.

  • CVSSv2 and CVSSv3 refer to versions 2 and 3 of the CVSS standard the Common Vulnerability Scoring System (CVSS). CVSS is a standard for assessing the severity of computer system security vulnerabilities. CVSS scores range from 0 to 10, with 10 being the most severe. CVSSv3 was designed to correct some shortcomings in CVSSv2. The three major metric groups – Base, Temporal, and Environmental – remained the same, but with changes within both the Base and the Environmental groups. In the Base group, several changes were made:

    • Confidentiality, Integrity, and Availability metrics were each changed to have scoring parameters of None, Low, or High.
    • The Attack Vector metric added the Physical (P) value, which indicates a vulnerability where the adversary must have physical access to a system in order to exploit the vulnerability.
    • A new metric, User Interaction (UI), was added. This metric indicates whether or not the cooperation of a legitimate user is needed to conduct an exploit.
    • Another new metric, Privileges Required (PR) was added to indicate that administrative or other escalated privileges on the target machine must be achieved in order to successfully exploit the system.

In addition to these changes, CVSSv3 also introduced a new scoring scale that maps the 0-10 score ranges to five different qualitative severity ratings: None (0.0), Low (0.1-3.9), Medium (4.0-6.9), High (7.0-8.9), and Critical (9.0-10.0).

Scanning tools

It will be helpful to find tools that output Static Analysis Results Interchange Format (SARIF) data.

Here are a few open-source tools that can be integrated with GitHub Actions to automatically scan your code for security vulnerabilities.

CodeQL

This is a code analysis engine developed by GitHub that can be used to automate security checks. You can analyse your code using CodeQL and display the results as code scanning alerts in GitHub1.

OWASP ASST

This is an open-source source code scanning tool developed by OWASP. It is a command-line interface (CLI) application developed with JavaScript (Node.js framework). You can integrate it with GitHub Actions to automatically scan your code2.

Bandit

This is an open-source tool designed to find common security issues in Python code

Data Factors

There are data factors that are listed for each of the Top 10 Categories, here is what they mean:

  • CWEs Mapped: The number of CWEs mapped to a category by the Top 10 team.
  • Incidence Rate: Incidence rate is the percentage of applications vulnerable to that CWE from the population tested by that org for that year.
  • (Testing) Coverage: The percentage of applications tested by all organisations for a given CWE.
  • Weighted Exploit: The Exploit sub-score from CVSSv2 and CVSSv3 scores assigned to CVEs mapped to CWEs, normalised, and placed on a 10pt scale.
  • Weighted Impact: The Impact sub-score from CVSSv2 and CVSSv3 scores assigned to CVEs mapped to CWEs, normalised, and placed on a 10pt scale.
  • Total Occurrences: Total number of applications found to have the CWEs mapped to a category.
  • Total CVEs: Total number of CVEs in the NVD DB that were mapped to the CWEs mapped to a category.

Reference