What is OWASP? What is OWASP Top 10?
September 16, 2019

What Is OWASP? And What Is OWASP Top 10?

Security & Compliance
Static Analysis

With the rising number of cybersecurity attacks, it is essential that you ensure that there are no vulnerabilities that can be exploited in your code. Using OWASP and the OWASP Top 10 can help ensure that your code is secure and safe. For that reason, we explain what is OWASP, its list of security weaknesses, and the OWASP Top 10 most critical web application and API security risks.

What Is OWASP?

Open Web Application Security Project (OWASP) is an international non-profit organization that educates software development teams on how to conceive, develop, acquire, operate, and maintain applications so that they can be trusted.

All of the organization's materials (which includes articles, methodologies, documentation, tools, and technologies) are freely available and easily accessible. These materials improve application security through people, process, and technology.

What Is OWASP Top 10?

The most well-known resource that the organization produces is the OWASP Top 10. Each year, a team of security experts from across the globe updates the report to feature the 10 most critical web application and API security risks.

According to the most recent list, the 10 most critical web application security risks are:

1. Injection

2. Broken Authentication

3. Sensitive Data Exposure

4. XML External Entities (XXE)

5. Broken Access Control


7. Cross-site Scripting (XSS)

8. Insecure Deserialization

9. Using Components With Known Vulnerabilities

10. Insufficient Logging and Monitoring

OWASP Top 10: A Closer Look

1. Injection
Injection flaws occur when untrusted data is sent as part of a command or query. The attack can then trick the targeted system into executing unintended commands or give the cybercriminal access to protected data.

2. Broken Authentication
Authentication and session management application functions are often implemented incorrectly. This enables cybercriminals to take advantage of security vulnerabilities and gain access to users' identities.

3. Sensitive Data Exposure
Sensitive data is often not properly protected, which enables cybercriminals to easily take advantage of security vulnerabilities.

4. XML External Entities (XXE)
Older or poorly configured XML processors evaluate external entity references within XML documents. These external entities can be used by cybercriminals to gain access to sensitive information or to launch a denial of service attack.

5. Broken Access Control
User restrictions are often not properly enforced, which can create security vulnerabilities that cybercriminals can exploit.

6. Security Misconfiguration
Security misconfiguration is often a result of insecure default configurations, incomplete or ad hox configurations, open Cloud storage, misconfigured HTTP headers, and verbose error messages that contain sensitive information.

7. Cross-site Scripting (XSS)
Cross-site scripting flaws happen whenever an application includes untrusted data in a new web page without proper validation, or when an existing web page is updated with user-supplied data using a browser API that can create HTML or JavaScript. Cybercriminals can take advantage of cross-site scripting to execute scripts in the targeted system.

8. Insecure Deserialization
Deserialization flaws often result in remote code execution and enables cybercriminals to perform replay, injection, and privilege escalation attacks.

9. Using Components with Known Vulnerabilities
Components — such as libraries, frameworks, and other software modules — run the same privileges as the application. A vulnerable component can be exploited by a cybercriminal to cause serious data loss or server takeover.

10. Insufficient Logging and Monitoring
Insufficient logging and monitoring can enable cybercriminals to attack systems, and tamper, extract or destroy data.

Enforce OWASP to Ensure Secure Software

Using a SAST tool — such as Klocwork — is an important part of the process of developing secure web applications, as it helps to comply with security standards — like OWASP. Klocwork automatically checks your code against the list of security weaknesses and flags violations to help enforce secure coding guidelines. To make compliance easier, Klocwork provides security reports on the quality of your code.

Learn More About the Benefits of SAST Tools >>

How to Implement Application Security With OWASP and Static Analysis

The best way to ensure web application security is to use a static code analyzer.

Static code analyzers enforce coding rules and flag security violations. Klocwork comes with code security taxonomies to ensure secure, reliable, and efficient software.

Each one includes:

  • Fully documented rule enforcement and message interpretation.
  • Fully configurable rules processing.
  • Compliance reports for security audits.

Secure Code Starts With Klocwork

See for yourself how Klocwork can help you enforce cybersecurity best practices.

Easily enforce Owasp with klocwork