What is OWASP And What is OWASP Top 10
September 16, 2019

What is OWASP? And What Are The OWASP Top 10?

Security & Compliance
Static Analysis


Open Web Application Security Project (OWASP) is an international non-profit organization that educates software development teams on how to conceive, develop, acquire, operate, and maintain applications so that they can be trusted.

All of the organization's materials (which includes articles, methodologies, documentation, tools, and technologies) are freely available and easily accessible. These materials improve application security through people, process, and technology.

What Is OWASP Top 10

The most well-known resource that the organization produces is the OWASP Top 10. Each year, a team of security experts from across the globe updates the report to feature the 10 most critical web application and API security risks.

According to the most recent list, the top 10 most critical web application security risks are:

  1. Injection
    Injection flaws occur when untrusted data is sent as part of a command or query. The attack can then trick the targeted system into executing unintended commands or give the cybercriminal access to protected data.
  2. Broken Authentication
    Authentication and session management application functions are often implemented incorrectly. This enables cybercriminals to take advantage of security vulnerabilities and gain access to users' identities.
  3. Sensitive Data Exposure
    Sensitive data is often not properly protected, which enables cybercriminals to easily take advantage of security vulnerabilities.
  4. XML External Entities (XXE)
    Older or poorly configured XML processors evaluate external entity references within XML documents. These external entities can be used by cybercriminals to gain access to sensitive information or to launch a denial of service attack.
  5. Broken Access Control
    User restrictions are often not properly enforced, which can create security vulnerabilities that cybercriminals can exploit.
  6. Security Misconfiguration
    Security misconfiguration is often a result of insecure default configurations, incomplete or ad hox configurations, open Cloud storage, misconfigured HTTP headers, and verbose error messages that contain sensitive information.
  7. Cross-site Scripting (XSS)
    Cross-site scripting flaws happen whenever an application includes untrusted data in a new web page without proper validation, or when an existing web page is updated with user-supplied data using a browser API that can create HTML or JavaScript. Cybercriminals can take advantage of cross-site scripting to execute scripts in the targeted system.
  8. Insecure Deserialization
    Deserialization flaws often result in remote code execution, and enables cybercriminals to perform replay, injection, and privilege escalation attacks.
  9. Using Components with Known Vulnerabilities
    Components — such as libraries, frameworks, and other software modules — run the same privileges as the application. A vulnerable component can be exploited by a cybercriminal to cause serious data loss or server takeover.
  10. Insufficient Logging and Monitoring
    Insufficient logging and monitoring can enable cybercriminals to attack systems, and tamper, extract, or destroy data.

OWASP Compliance With Klocwork

Running static analysis is an important part of the process of developing secure web applications and is a tool to use when complying with security standards. Klocwork automatically checks your code against the OWASP list of security weaknesses (including the OWASP Top 10) and flags violations to help enforce secure coding guidelines. To make compliance easier, Klocwork provides security reports on the quality of your code.

How to Implement OWASP Application Security

The best way to ensure web application security is to use a static code analyzer.

Static code analyzers enforce coding rules and flag security violations. Klocwork comes with code security taxonomies to ensure secure, reliable, and efficient software.

Each one includes:

  • Fully documented rule enforcement and message interpretation.
  • Fully configurable rules processing.
  • Compliance reports for security audits.

Achieve Application Security with Klocwork

See for yourself how Klocwork can help you enforce cybersecurity best practices.

Achieve cybersecurity With Klocwork