What is OWASP
September 16, 2019

What Is OWASP? Overview + OWASP Top 10

Security & Compliance
Static Analysis

OWASP and OWASP Top 10 help to safeguard your code against software security vulnerabilities. Here, we explain what is OWASP and what are the OWASP Top 10 vulnerabilities.

Read along or jump to the section that interests you the most:

What Is OWASP?

OWASP is the Open Web Application Security Project. It's an international nonprofit organization that educates software development teams on how to conceive, develop, acquire, operate, and maintain secure applications.

All of the organization's materials (which include articles, methodologies, documentation, tools, and technologies) are freely available and easily accessible. These materials improve application security through people, processes, and technology.

What Is The OWASP Top 10?

OWASP Top 10 is the most well-known resource that the organization produces. Each year, a team of security experts from across the globe updates the report. This report features the 10 most critical web application and API security risks.

The current OWASP Top 10 list includes:

  1. Injection
  2. Broken Authentication
  3. Sensitive Data Exposure
  4. XML External Entities (XXE)
  5. Broken Access Control
  6. Security Misconfiguration
  7. Cross-Site Scripting (XSS)
  8. Insecure Deserialization
  9. Using Components With Known Vulnerabilities
  10. Insufficient Logging and Monitoring

Protect against the top cybersecurity vulnerabilities. Get the white paper to learn how.

➡️ Get the White Paper

Why Is OWASP Important?

OWASP is important as it provides the following benefits:

  • It helps developers safeguard against cybersecurity vulnerabilities.
  • It helps strengthen software encryption.
  • It helps reduce the number of security errors, bugs, and defects in the code.

Learn more about how security standards — like CERT C, CWE, and DISA STIG — can help ensure software security.

OWASP Top 10: A Closer Look

1. Injection

Injection flaws occur when untrusted data is sent as part of a command or query. The attack can then trick the targeted system into executing unintended commands. Or it could give the cybercriminal access to protected data.

2. Broken Authentication

Authentication is often implemented incorrectly. This enables cybercriminals to take advantage of security vulnerabilities. They can even gain access to users' identities.

3. Sensitive Data Exposure

Sensitive data is often not properly protected. This enables cybercriminals to easily take advantage of security vulnerabilities.

4. XML External Entities (XXE)

Older or poorly configured XML processors evaluate external entity references within XML documents. These external entities can be used by cybercriminals to gain access to sensitive information. They could even launch a denial of service attack.

5. Broken Access Control

User restrictions are often not properly enforced. This creates security vulnerabilities that cybercriminals can exploit.

6. Security Misconfiguration

Security misconfiguration is often a result of:

  • Insecure default configurations.
  • Incomplete or ad hoc configurations.
  • Open Cloud storage.
  • Misconfigured HTTP headers.
  • Verbose error messages that contain sensitive information.

7. Cross-Site Scripting (XSS)

Cross-site scripting flaws occur when an application includes untrusted data in a new webpage — without proper validation. It can also occur when an existing web page is updated with user-supplied data using a browser API that can create HTML or JavaScript. Cybercriminals take advantage of cross-site scripting to execute scripts in the targeted system.

8. Insecure Deserialization

Deserialization flaws often result in remote code execution. This enables cybercriminals to perform replay, injection, and privilege escalation attacks.

9. Using Components with Known Vulnerabilities

Components — such as libraries or frameworks — run the same privileges as the application. A vulnerable component can be exploited by a cybercriminal. This causes serious data loss or server takeover.

10. Insufficient Logging and Monitoring

Insufficient logging and monitoring can enable cybercriminals to attack systems. They can even tamper, extract, or destroy data.

📕 Related Resource: Top 10 Software Vulnerabilities>>>

Enforce Secure Software Best Practices

Here's one of the most important best practices. Implement secure coding practices to prevent vulnerabilities.

Using a SAST tool — such as Klocwork — helps you enforce best practices.

This is an important part of the process of developing secure web applications. Using a tool like Klocwork helps you comply with security standards. That's because Klocwork automatically checks your code against the list of security weaknesses. It flags violations to help enforce secure coding guidelines. To make compliance easier, Klocwork provides security reports on the quality of your code.

📕 Related Resource: SAST Tutorial>>>

How to Enforce OWASP With Static Code Analysis

The best way to ensure web application security is to use a static code analysis tool.

Static code analyzers enforce coding rules and flag security violations. Klocwork comes with code security taxonomies to ensure secure, reliable, and efficient software.

Each one includes:

  • Fully documented rule enforcement and message interpretation.
  • Fully configurable rules processing.
  • Compliance reports for security audits.

Use Klocwork to Ensure Software Security

See for yourself how Klocwork can help you enforce secure software practices. Sign up for our next live demo and see how it works. 

▶️ Watch the klocwork demo

Send Feedback