OWASP, or Open Web Application Security Project, is a global non-profit organization. Dedication to web application security is their mantra. OWASP has materials that make it easier for developers to understand how they can improve on the security side of their own web application. These materials can be accessed freely on their very own website (www.owasp.org), also these materials include Presentations, Projects, Video, Books, and Downloads. For example, one of their best-known projects is called the OWASP Top 10, which is a yearly release created by the top experts in the globe in the topic of web application security with their most recent release being 2017. It outlines the top 10 security risks found during the course of the year with new developing technologies. To list, the top 10, from greatest threat to least, include:
Top 10 Greatest Threats
When untrusted data is sent to an interpreter, this occurs. Attackers use this untrusted data to trick the interpreter into executing unwanted queries.
- Broken Authentication
With authentication flaws in the system, an attacker can compromise passwords, keys, or session tokens.
- Sensitive Data Exposure
APIs that do not protect sensitive data, such healthcare information. Also, using the same method, attackers can steal payment information and/or commit identity theft.
- XML External Entities
External entities can disclose internal files using the file URI handler, and have denial of service attacks.
- Broken Access Control
Having no restrictions on access controls is not a good idea. So that, allows Authenticated users to do anything they please. Attackers can exploit the flaws to access unauthorized data.
- Security Misconfiguration
Evidently, this is the most common issue, due to insecure default configurations, incomplete configurations, open cloud storage, misconfigured HTTP headers, and error messages containing sensitive information.
- Cross-Site Scripting
XSS allows attackers to execute scripts in the victim’s browser to hijack user sessions.
- Insecure Deserialization
Leads to remote code execution
- Using Components with Known Vulnerabilities
Also, this includes using libraries, frameworks, and modules.
- Insufficient Logging & Monitoring
Ineffective integration, which allows attackers to further attack systems.
In conclusion, all this information could mean to a developer is that they know there are experts who are more proficient on the security side of web applications that share their expertise openly on OWASP. The developer can go back and secure their own application to lower the amount of loopholes in their system that attackers can exploit.