What is the OWASP Top 10?

OWASP is an acronym for Open Web Application Security Project. OWASP is an amazing nonprofit organization that prides itself on improving the security of software, websites, databases, and more. Today I will be writing about the OWASP Top 10. This is a list of the top 10 threats to web applications. Web application creation is increasing as the digital landscape pushes for further innovation. I hope you enjoy reading this post as I breakdown the OWASP Top 10.

The OWASP Top 10 list:

1. Injection- injecting unwanted characters, queries (SQL commands), or commands (LDAP, javascript, etc.) into fields to gain information without consent. This can be prevented by reviewing your code to make sure it does not allow certain characters and commands.

2. Broken Authentication- gaining authentication into someone’s account. This can allow attackers to steal passwords and use another person’s access to do more nefarious things. Strict timeout settings and lockout policies can help stop this attack.

3. Sensitive Data Exposure- to properly explain sensitive data exposure I need to explain the three most important sets of sensitive data first. The three main important sets of sensitive data are PII, PHI, PCI. PII is personal identifiable information. For example, social security numbers and mailing addresses would be considered PII. PHI is personal healthcare information. For example, medical records would be considered PHI. PCI just stands for payment card industry or in this case we can call it payment card information. This type of information includes debit and credit card information. Sensitive data should be encrypted. Using the highest level of TLS and encrypting your database can avert this attack.

4. XML External Entities- misconfigured XML documents can be used to reveal port scanning, denial of services attacks, and remote code execution. Having the newest and secure XML processors can prevent this attack.

5. Broken Access Control- giving users too much access can lead to hackers having access to everything by gaining access to anyone’s account. Using least privilege, you can mitigate this vulnerability. Least privilege is a policy that gives people just enough access to do their job.

6. Security Misconfiguration- some easy security misconfigurations to fix are default configurations and scrubbing error messages containing sensitive information (operating system, version of IIS, etc.) Never keep the default configuration on any product you use. Default settings are easily searchable on the internet.

7. Cross-Site Scripting- like an injection attack cross-site scripting or XSS allows actors to execute scripts that could allow this full access to a web application. Please ensure your developers write secure code to avoid this devastating attack.

8. Insecure Deserialization- deserialization is a common web process but insecure deserialization can be very malicious. It can lead to remote code execution. Perform a web application scan before you go live with your web application. Also performing routine vulnerabilities scans can help stop various vulnerabilities.

9. Using Components with Known Vulnerabilities-similar to security misconfiguration, you should not use frameworks or libraries that have known vulnerabilities in the cybersecurity community. Research any framework or libraries before you use it. Always use a test environment before going live for extra protection.

10. Insufficient Logging & Monitoring- Everyone that has a web application should have access to view logs and monitor their web application's performance. One great to tool monitor logs would be Splunk.

The OWASP Top 10 list will help everyone with their web application cybersecurity defense. I hope this post motivates you to look more closely at any cracks you think you have in your web application security. Thank you for visiting my blog.