OWASP, or Open Web Application Security Project, is a global non-profit organization, which is dedicated to web application security. OWASP has materials that make it easier for developers to understand how they can improve on the security side of their own web application. These materials can be accessed freely on their very own website (www.owasp.org), also these materials include Presentations, Projects, Video, Books, and Downloads. One of their best-known projects is called the OWASP Top 10, which is a yearly release created by the top experts in the globe in the topic of web application security with their most recent release being 2017. It outlines the top 10 security risks found during the course of the year with new developing technologies. The list of the top 10, from greatest threat to least, include:
When untrusted data is sent to an interpreter during a query. This untrusted data can be used to trick the interpreter into executing unwanted queries.
- Broken Authentication
With the exploit in authentication flaws in the system, an attacker can compromise passwords, keys, or session tokens.
- Sensitive Data Exposure
APIs that do not protect sensitive data, such as payment information, or healthcare. Attackers can steal payment information and/or commit identity theft.
- XML External Entities
External entities can be used to disclose internal files using the file URI handler, and have denial of service attacks.
- Broken Access Control
No restrictions on what authenticated users are allowed to do, attackers can exploit the flaws to access unauthorized data.
- Security Misconfiguration
This is the most common issue, due to insecure default configurations, incomplete configurations, open cloud storage, misconfigured HTTP headers, and error messages containing sensitive information.
- Cross-Site Scripting
XSS allows attackers to execute scripts in the victim’s browser to hijack user sessions.
- Insecure Deserialization
Leads to remote code execution
- Using Components with Known Vulnerabilities
This includes using libraries, frameworks, and modules.
- Insufficient Logging & Monitoring
Ineffective integration, which allows attackers to further attack systems.
What all this information could mean to a developer is that they know there are experts who are more proficient on the security side of web applications that share their expertise openly on OWASP. The developer can go back and secure their own application to lower the amount of loopholes in their system that attackers can exploit.