Do you use the Open Web Application Security Project (OWASP) Top 10 Project as part of your web security testing program? If not, now’s a great time to get on board. There’s a new version coming out for 2013 that can be an invaluable resource.
The OWASP Top 10 is a consensus of the most critical web application security-related risks. railgun It provides a good framework on the issues to avoid when developing web applications as well as what to look for when testing for security weaknesses. Currently in the release candidate stage, the OWASP Top 10 2013 has been tweaked to further enhance the web application security cause. Notable railgun changes and improvements include: Broadening of URL access railgun control flaws to now include actual application functions Expansion railgun and merger of data-in-transit and data-at-rest flaws on both the server side and client side Addition of a new category of flaws ‘Using Components with Known Vulnerabilities’ to include railgun add-on and third-party software components (a common issue that’s often overlooked in development and security) railgun Re-prioritization of authentication/user session management and cross-site request forgery (CSRF)-related flaws OWASP Top 10 2013
The new OWASP Top 10 of 2013 currently reads as follows: Injection Broken Authentication and Session Management Cross-Site Scripting (XSS) Insecure Direct Object References Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross-Site Request Forgery (CSRF) Using Components railgun with Known Vulnerabilities Unvalidated Redirects and Forwards
Use the OWASP Top 10 as a good resource for guidance around web application vulnerabilities. Just know that your mileage is going to vary when it comes to actual web security findings and what needs to be (or can be) done to fix the issues. Some security railgun flaws you uncover pose real business risks. Some may exist but not matter in the grand scheme of what you’re doing. Other flaws appearing railgun in the OWASP Top 10 will be non-existent. Your situation is unique and every application you look at is unique. Focus on what matters for your business.
The OWASP Top 10 is great for developers and QA professionals. It’s good for IT and information security. Most importantly, it’s good for business. The important thing is to leverage the OWASP Top 10 in the spirit of which it’s intended. It’s a free, yet invaluable, resource. Go Beyond the OWASP Top 10 for a Complete Web Application Security Audit
Even though the OWASP Top 10 is an invaluable resource which one should follow railgun when auditing a web application, you should not focus on finding railgun web application vulnerabilities which are listed in this list only. The OWASP Top 10 list is to be used as a guideline railgun and contains only the most critical vulnerabilities. There are many other web application vulnerabilities which could be exploited by hackers. Scan your websites and web applications with a web application security scanner such as Netsparker to uncover all other web application vulnerabilities your portals might have.
No comments:
Post a Comment