No matter who you talk to about application security, it’s almost inevitable that part of the discussion will include talking about the OWASP Top 10 Web Application Security Risks. For those that aren’t familiar with OWASP, this article will give a short overview of the organization and the list of the top 10 risks that has become the embodiment of application security frameworks. OWASP stands for the Open Web Application Security Project, and its mission is stated to be “dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted.”
OWASP created the Top 10 list back in 2003 and has been updating the list approximately every two to three years since the inception. The latest version of the Top 10 Web Application Security Risks was released in 2017. OWASP describes the purpose of this list as:
Companies should adopt this document and start the process of ensuring that their web applications minimize these risks. Using the OWASP Top 10 is perhaps the most effective first step towards changing the software development culture within your organization into one that produces more secure code.
The list includes the most common vulnerabilities found in web applications, such as injection vulnerabilities and cross site scripting (XSS), two of the most common vulnerabilities used to attacks today as reported by the Verizon Breach Incident Report (VBIR). The list also contains other vulnerabilities that organizations need to be mindful of, as well as items on the list to ensure that known vulnerabilities are addressed (by ensuring no components with known vulnerabilities are used), along with watching out for misconfiguration, and to make sure sufficient logging and monitoring is maintained on applications.
The Top Ten project has become the flagship application security standard and is a great start for anyone wanting to understand the issues around application security. If you’re looking for an application security solution, you’ll often find that they are advertised including features that protect you from the risks of the OWASP Top 10. Make sure the application security solution you choose protects you from the OWASP Top 10 as a minimum.
OWASP has branched out to many other facets of application security other than the Top 10 for which they are known. For example, for testing, OWASP has a project that has developed the Application Security Verification Standard which is intended for organizations looking for help with security during the development and maintenance phases of applications. The standard defines three levels for security verification for organizations and allows to organizations to apply the levels based on how secure they need their application to be.
OWASP also has a project that gives a guide to security testing, also known as the Web Security Testing Guide which is another great resource for organizations needing help with application security. It describe the necessary phases of the testing framework, and also explains various testing techniques, along with their advantages and disadvantages.
OWASP also has a project on Github that provides cheat sheets on an array of security topics. The project focuses on providing good security practices for builders in order to secure their applications. The cheat sheets give practical steps for developers, detailing how to avoid vulnerabilities, steps to reviewing code, and guidelines for security testing.
While there are other projects of note, the last one I’ll mention in this blog article is Webgoat. WebGoat is a deliberately insecure application that allows developers to test vulnerabilities commonly found in Java-based applications that use common and popular open source components. Webgoat was created with the idea that web application security is difficult to learn and practice and that those trying to learn typically do not have access to web applications that can be used to scan for vulnerabilities. In addition, security professionals often have a need to test security tools against a platform known to be vulnerable to verify that they perform as advertised. Webgoat offers that platform.
If you’re not familiar with Runtime Application Self-Protection (RASP), it may be a good time to learn about RASP for securing applications against the OWASP Top 10 Web Application Risks. The recent finalization of the National Institute of Standard and Technology (NIST)’s SP800-53 Revision 5 update makes it imperative for Federal government organizations and those that work with the Federal government to start investigating RASP with its inclusion in this latest framework.
RASP solutions like the one from K2 Cyber Security offer significant application protection while at the same time using minimal resources and adding negligible latency to an application. K2 Security Platform uses runtime deterministic security to monitor the application and has a deep understanding of the application’s control flows, DNA and execution. By validating the application’s control flows, deterministic security is based on the application itself, rather than relying on past attacks to determine a zero day attack. Deterministic security results in the detection of sophisticated zero day attacks and also protects from application from the risks listed in the OWASP Top Ten, including XSS and SQL Injection.
K2’s Next Generation Application Workload Protection Platform addresses today’s need for runtime security in an easy to use, easy to deploy solution. K2’s unique deterministic security detects new attacks without the need to rely on past attack knowledge, is lightweight, and adds under a millisecond of latency to the running application. To aid in quick remediation of vulnerabilities, K2 also provides detailed attack telemetry including the code module and line number being in the code being attacked, while at the same time integrating with leading firewalls to do real time attacker blocking.
Change how you protect your applications, and check out K2’s web application and application workload security solution.