What is OWASP?
OWASP is a web application security project (Open Web Application Security Project) composed of an open community dedicated to empowering organizations to develop, acquire and maintain applications that can be trusted.
owasp-top-ten-2017In OWASP we find:
- Application security tools and standards Complete books of application security reviews, secure source code development, and source code security reviews Standard security controls and libraries.
All tools, documents, and resources are free and open to anyone interested in improving application security.
Web application security risks
OWASP defines the following table to assess the risks of a vulnerability:
Risks of a vulnerability
Attackers can use different attack vectors throughout the application to harm your organization. Each of the different vectors may or may not be serious enough to warrant attention to the problem.
Sometimes these routes are "easy" to find and exploit, and sometimes very difficult. In the same way, they may not have an impact on the system or leave it out of service.
How is risk calculated?
OWASP Top 10 focuses on identifying the most serious risks for a wide range of organizations. For each of these risks we have determined the following rating scheme.
Risk rating scheme
Only organizations know the specifics of your business. For a given application, there might not be a threat agent that can execute the attack in question. Therefore, you are the one who must assess each risk and the impact it could have on the business.
OWASP Top 10
Regarding all the criteria previously exposed, OWASP defines a Top 10 document, weighing the most common vulnerabilities and those with the highest risk in Web applications that serve as the basis for most companies and security specialists to have a common standard methodology.
This document with the list of the 10 most common vulnerabilities, is updated every 3 years since many of the vulnerabilities, risks or ways of exploiting them, of course, also evolve over time.
The last Top 10 recognized dated from 2013, following the three-year structure, it should have come out the same last year, instead, the organization, due to the few changes in the existing vulnerabilities, decided to delay it for a year and remove it in 2017.
OWASP Top 10 2013 vs OWSP Top 10 2017
In the following image you can see the most significant differences between the old and new versions:
Most significant differences between the old and new versions
As can be seen, it has changed only in several vulnerabilities, leaving the main structure of the most common intact in the same way. Some of the main novelties of the new version of 2017 are:
- The A8 - CSRF disappears, as a vulnerability within the Top 10, since due to certain controls that the applications have, the study that has been carried out defines that it is only found in 5% of current web applications. New vulnerabilities appear that cause reference to the application code, for example, the A4 that refers to XML injections that are detected in this type of code analysis. The A4 and A7 of the old 2013 are merged to generate a new vulnerability that encompasses both, and which refers to the incorrect management of access to certain parts / resources of the information handled by the applications. Another new vulnerability is defined due to the incorrect monitoring and management of logs in order to assess the security of the applications in the event of a attack or intrusion
Although the previous Top 10 has been remodeling since the beginning of 2017, it was not until the end of it until its latest version was released and it seems to be the final one. At present, it is in the process of being translated into various languages, including Spanish, so it may not undergo too many relevant changes.
In Áudea, we not only follow the Top 10 commented to carry out all our web application audits, but we also follow the OWASP methodology commented in this article to carry out all the tests in them, which include all the security problems that can occur in them.
Download the original file
