Meeting OWASP Compliance to Ensure Secure Code development and deployment
The OWASP Top 10 is a resource for developing secure code. Nearly 68% of apps had a security flaw that fell into the OWASP Top 10.
By learning the flaws on the OWASP Top 10 list and how to resolve them, application developers can take concrete steps toward a more secure application that helps keep users safe when it comes to malicious attacks. The vulnerabilities listed by OWASP aren’t the only things developers need to look at.
OWASP Top 10 Vulnerabilities
- A01:2021-Broken Access Control The 34 Common Weakness Enumerations (CWEs) mapped to Broken Access Control had more occurrences in applications than any other category.
- A02:2021-Cryptographic Failures The renewed focus here is on failures related to cryptography, which often leads to sensitive data exposure or system compromise.
- A03:2021-Injection 94% of the applications were tested for some form of injection, and the 33 CWEs mapped into this category have the second most occurrences in applications. Cross-site Scripting is now part of this category in this edition.
- A04:2021-Insecure Design is a new category for 2021, with a focus on risks related to design flaws.
- A05:2021-Security Misconfiguration With more shifts into highly configurable software, it’s not surprising to see this category move up.
- A06:2021-Vulnerable and Outdated Components This category moves up from #9 in 2017 and is a known issue that we struggle to test and assess risk.
- A07:2021-Identification and Authentication Failures This category is still an integral part of the Top 10, but the increased availability of standardized frameworks seems to be helping.
- A08:2021-Software and Data Integrity Failures One of the highest weighted impacts from Common Vulnerability and Exposures/Common Vulnerability Scoring System (CVE/CVSS) data mapped to the 10 CWEs in this category.
- A09:2021-Security Logging and Monitoring Failures Failures in this category can directly impact visibility, incident alerting, and forensics.
- A10:2021-Server-Side Request Forgery This category represents the scenario where the security community members are telling us this is important, even though it’s not illustrated in the data at this time.
Strategic ways to address the OWASP top 10 vulnerabilities
The OWASP top 10 list of vulnerabilities has long been the source of data that information security professionals trust with making critical security decisions. There are many different sources where you can read about these vulnerabilities, especially from OWASP itself.
- Leveraging ASVS as a Framework for Agile Application Security
Development teams could implement the secure practices mentioned in the ASVS and build a secure and robust product. Following ASVS guidelines could help in prioritizing security tasks like auditing and reviewing and make everything visible, as in a standard agile process.
Developers can leverage agile security as a framework along with several application security standard methodologies proven by many application security architects. ASVS accounts for several application security controls and risks as part of the framework. Application-level security, common security loopholes, and leveraging benchmark application security tools are widely used by organizations that use agile development frameworks. ASVS aligns well to this development culture by following best-practice application security controls that align well to controls for security assessment and testing.
- Pen Tester Web Application Penetration Testing method
Pen testing web application systems focus on a risk-based approach to identify critical application security flaws. Web application pen testing combines the results with manual testing to enumerate and validate application vulnerabilities, misconfiguration errors, and business workflow flaws. Companies leveraging pen testing firms with experience in validating ASVS controls and standards is critical to the success of the engagement.
Solid Web Application Penetration Test covers the classes of vulnerabilities outlined in the Open Web Application Security Project (OWASP) Top 10 and beyond:
- Remove unused services, frameworks and features to avoid providing further attack surfaces to an attacker. Administrators need to stay up to date with all patch releases and security notes, as well as updates. This all forms part of the patch management process.
- A segmented application architecture is one of the strongest defenses against security misconfiguration. If you are responsible for client systems, then you need to ensure that security directives are sent out regularly.
Best Practice Conclusion
Selecting a well experienced 3rd party testing firm is critical to the success of the engagement. The clients should fully know the pen tester team’s methods, experience, and background prior to any engagement.
Creating a repeatable hardening process including vulnerability scanning, remediation, and post pen testing is essential when deploying a new environment. Uniformity is important, which means that dev, QA and production environments need to be configured identically, but with different credentials used for each of them. Leveraging the various methods of pen testing including white, gray, and black box methods will provide the organization with several engagements to ensure a higher degree of security protection for their systems.