OWASP – A guide to more secure web-app development

What is OWASP?

The Open Web Application Security Project (OWASP) is an international non-profit organization founded in 2001, with the aim of providing free and open resources to developers and security experts to protect their web applications from cyber-attacks. OWASP performs security analysis and research with around thousands of volunteers across the world.

OWASP’s resources are free and easily accessible on their website, making it feasible for anyone and everyone to create robust and secure web applications. With the help of community-led open-source software projects, educational and training conferences, thousands of members and numerous local chapters, OWASP lays the foundation of cyber security for developers across the globe.

History

Mark Curphey initiated the OWASP-Open Web Application Security Project on September 9, 2001. Jeff Williams was volunteer Chair of OWASP from late 2003 until September 2011. As of January, 2021, Sherif Mansour was voted as Chair, Vandana Verma as Vice Chair, Grant Ongers as Treasurer and Bil Corry as Secretary. Since 2011, OWASP has been registered as a non-profit organization in Belgium under the name of OWASP Europe VZW.

Publications and resources

  • OWASP Top Ten: Top 10 is an elaborate report created and updated regularly to raise awareness about application security by carefully pointing out the most critical risks organizations have to deal with.

  • OWASP Software Assurance Maturity Model: The Software Assurance Maturity Model (SAMM) project helps to build a usable framework for organization specific applications.

  • OWASP Development Guide: The Development Guide provides practical guidance and provides numerous J2EE, ASP.NET and PHP sample codes.

  • OWASP Testing Guide: The OWASP Testing Guide describes best practices for the penetration testing framework.

  • OWASP Application Security Verification Standard (ASVS): A standard for performing application-level security verifications.

  • OWASP ZAP Project: The Zed Attack Proxy (ZAP) is a hassle-free integrated penetration testing tool for finding vulnerabilities in web applications.

  • Webgoat: An insecure web application developed by OWASP as a guide for secure programming practices.

  • OWASP AppSec Pipeline: AppSec Pipeline incorporates the principles of DevOps and Lean into an application security program.

  • OWASP Automated Threats to Web Applications: It provides definitive information and other resources to defend against automated threats such as credential stuffing and brute force techniques. The project includes the top 20 automated threats.

  • OWASP API Security Project: Sheds light on strategies and solutions to deal with the security risks of Application Programming Interfaces (APIs).

  • OWASP Code Review Guide.

  • OWASP XML Security Gateway (XSG) Evaluation Criteria Project.

  • OWASP “Top 10” Incident Response Guidance.

OWASP Top 10

The Top Ten project was first published in 2003 with a vision of raising awareness about application security. It addresses the most critical risks organizations face by regularly updating a report on security concerns for web application security. The report is developed by a group of security experts from all over the world. Various standards, books, tools and organizations including MITRE, PCI DSS, the Defense Information Systems Agency and the United States Federal Trade Commission take the help of the Top 10 project.

The OWASP Top 10 2021 report includes the following security concerns:

  • A01:2021-Broken Access Control : Having no verification of improper access checks to the requested object is a sign of flawed access control. 34 Common Weakness Enumerations related to Broken Access Control had more occurrences in applications than any other category.

  • A02:2021-Cryptographic Failures : Previously known as “Sensitive Data Exposure”, this type of failure deals with preserving data in transit and at rest. Such information include authentication details, personal and financial information, business secrets etc.

  • A04:2021-Insecure Design : Introduced in 2021, this category addresses risks related to design flaws. Lack of security controls and business risk profiling in software development come under insecure design.

  • A06:2021-Vulnerable and Outdated Components : This category was previously known as “Using Components with Known Vulnerabilities”. It is the only category which does not have any Common Vulnerability and Exposures mapped to the included Common Weakness Enumerations.

  • A07:2021-Identification and Authentication Failures : Applications not protected against automated attacks such as credential stuffing, brute force attacks, use of default, weak or well-known passwords come under this category. Common Weakness Enumerations that are more related to identification failures are now incorporated within this category.

  • A08:2021-Software and Data Integrity Failures : This new category relates to vulnerabilities in unverified software updates, critical data and CI/CD pipelines. One of the highest weighted impacts from Common Vulnerability and Exposures/Common Vulnerability Scoring System (CVE/CVSS) data is mapped to the 10 Common Weakness Enumerations in this category. “Insecure Deserialization” from 2017 now comes under this category.

  • A09:2021-Security Logging and Monitoring Failures : Previously termed as “Insufficient Logging & Monitoring”, the category is expanded to include more types of failures that can impact accountability, visibility, incident alerting and forensics.

  • A10:2021-Server-Side Request Forgery : SSRF issues arise when a web application does not validate the user-supplied URL while fetching a remote resource enabling attackers to force the application to send request to an unexpected destination even with a firewall, VPN or some other type of network access control list (ACL) protection.

OWASP ZAP Project

OWASP Zad Attack Proxy (ZAP) Project is one of the most active open-source Dynamic Application Security Testing tools today. It is maintained by a team of volunteers from all over the world. ZAP is an integrated penetration testing tool with detailed documentation that can be used by beginners as well as professional pen-testers.

ZAP has an easy to use GUI with the following features:

  • Intercepting Proxy: Intercepting proxy is the main feature of ZAP proxy. It sits between the security testers’ browser and web application server in order to scan, alter or inject traffic into the message content.

  • Automated Scanner: It checks the web application mentioned by an URL in several modes with active Scans, passive scans and Crawl Spider for vulnerabilities.

  • Brute Force Scanner: It identifies security vulnerabilities in terms of breach by brute force.

  • Fuzzing: This feature allows testers to provide unexpected and invalid inputs to check for vulnerabilities.

  • Port Scanning: Port Scanning notifies about statuses of different ports and alerts in case of an unwanted port usage.

  • WebSockets: WebSockets create an asynchronous two-way communication channel between client and server exposing vulnerabilities present due to an open channel. Consequently, ZAP scans the Web sockets continuously for vulnerabilities.

  • Advanced SQL Injection Scanner: Advanced SQL Injection aids in securing web application databases.

  • Advanced Alerts: ZAP has one the best customizable alert management systems.

  • Tools Integration: ZAP allows easy integration with many other tools like Application Lifecycle Management (ALM) tools, testing tools, code management tools, external notification systems etc.

To sum it up, organizations need to be aware of the modern day challenges involved in building web applications and make use of the latest tools out there to tackle the same. OWASP organization is committed to provide exactly that.