OWASP

Category: Security

What is OWASP?

OWASP (Open Web Application Security Project) is a worldwide non-profit organization that focuses on improving software security. OWASP provides free materials, tools and documentation for developers, architects and security professionals.

The organization is best known for publishing the “OWASP Top 10” - a list of the most critical security risks for web applications, which is updated regularly.

OWASP Top 10 - 2021

These are the 10 most critical security risks for web applications according to the latest edition:

1 Broken Access Control High

Users can perform actions that are not authorized. Includes violation of the principle of least privileges.

  • Unlimited access to API endpoints
  • Manipulation of ID parameters
  • Violation of access control

2 Cryptographic Failures High

Cryptographic failures that lead to the leakage of sensitive data.

  • Unsafe storage of passwords
  • Lack of data encryption
  • Use of weak algorithms

3 Injection High

Injection of malicious code that is interpreted by the system.

  • SQL injection
  • Command injection
  • NoSQL injection

4 Insecure Design High

Insecure design, focused on security control deficiencies.

  • Lack of threat modeling
  • Unsafe business logic
  • Insufficient validation

5 Security Misconfiguration Среден

Incorrect security configuration in the application or infrastructure.

  • Unrenewed components
  • Unnecessary services
  • Unsafe default settings

6 Vulnerable Components Висок

Use of components with known vulnerabilities.

  • Unrenewed libraries
  • Use of deprecated components
  • Lack of monitoring for vulnerabilities

7 Authentication Failures Medium

Failures in the systems for identifying identity.

  • Weak passwords
  • Lack of multi-factor authentication
  • Unsafe session management

8 Software and Data Integrity Среден

Violation of the integrity of the software and data.

  • Unsafe CI/CD processes
  • Deserialization of untrusted data
  • Lack of code signature

9 Security Logging Failures Medium

Inadequate security logging and monitoring.

  • Lack of audit trails
  • Insufficient logging
  • Impossibility of detecting attacks

10 Server-Side Request Forgery Medium

Attacks where the server is forced to make requests to internal resources.

  • Manipulation of URL parameters
  • Access to internal systems
  • Bypassing the internal network

Preventing attacks - Best practices

Input Validation

Validate all user input data. Use white-listing approach instead of black-listing.

Parameterized Queries

Use parameterized queries to prevent SQL injection.

Authentication Controls

Implement strong authentication mechanisms and multi-factor authentication.

Access Control

Apply the principle of least privileges and check the permissions of the server.

Encryption

Encrypt sensitive data both during transmission and at rest.

Security Headers

Use secure HTTP headers such as Content Security Policy, HSTS, X-Frame-Options.

Error Handling

Do not disclose error details to users. Use generic messages.

Dependency Management

Regularly update libraries and components. Monitor for known vulnerabilities.

OWASP tools

  • OWASP ZAP (Zed Attack Proxy): Free tool for testing the security of web applications
  • OWASP Dependency-Check: Tool for scanning dependencies for known vulnerabilities
  • OWASP WebGoat: Intentionally insecure web application for training
  • OWASP Juice Shop: Modernly insecure web application for training
  • OWASP ASVS (Application Security Verification Standard): Standard for security verification
  • OWASP Cheat Sheet Series: Cheat sheets with best practices for different topics

Integration in SDLC

  • Requirements phase: Definition of security requirements and threat modeling
  • Design phase: Security architecture review and design of controls
  • Development phase: Secure coding practices and code review
  • Testing phase: Security testing (SAST, DAST, penetration testing)
  • Deployment phase: Secure configuration and deployment checks
  • Support phase: Monitoring, patch management and incident response

Security testing methods

  • SAST (Static Application Security Testing): Analysis of source code for potential vulnerabilities
  • DAST (Dynamic Application Security Testing): Testing of working application for vulnerabilities
  • SCA (Software Composition Analysis): Analysis of third-party components for vulnerabilities
  • Penetration Testing: Simulation of real attacks against the application
  • Code Review: Manual code review for security issues
  • Threat Modeling: Identification of potential threats and vulnerabilities

Common errors and solutions

ErrorRiskSolution
Direct execution of user inputSQL Injection, Command InjectionParameterized queries, input validation
Unsafe storage of passwordsLeakage of credentialsBCrypt, Argon2, PBKDF2
Lack of rate limitingBrute force attacksImplementation of request limitations
Unvalidated redirectsPhishing attacksValidation of URL addresses for redirection
Unsafe deserializationRemote code executionValidation of serialized data

OWASP practices - Security of web applications

Open standards and best practices for the protection of web applications