Allergic to Bees? Don’t Get Stung by the OWASP Top 10

OWASP - is it something we don’t want to get stung by, or is it here to protect us?  In cybersecurity, we’ve all heard the term, but what is it really?

If your organization develops software or tries to protect software that it is using, you should get familiar with the reference.  Founded in December 2001, OWASP, the Open Web Application Security Project, is a nonprofit foundation that works to improve the security of software.  Through community led open-source projects and tens of thousands of members, OWASP has become the global de facto standard for software security. 

If an organization simply has a website, it is most likely being tested against what is referred to as the “OWASP Guidelines”.  In fact, you will often hear about the OWASP Top 10 when referring to a web application penetration test.  The OWASP Top 10 is simply the top 10 security risks that are most common in web applications.  This list is updated every 2 to 4 years.  Currently the top 10 are:

• Broken Access Control
• Cryptographic Failures
• Injection
• Insecure Design
• Security Misconfiguration
• Vulnerable and Outdated Components
• Identification and Authentication Failures
• Software and Data Integrity Failures
• Security Logging and Monitoring Failures
• Server-Side Request Forgery

A commonly known piece of software known as Burp Suite is often used by ethical hackers (aka penetration testers).  Although it is complex and requires a high skill set, this tool is designed to test against the OWASP standards.

In previous years, application security was a major oversight.  Although companies hired professionals to perform penetration tests, they were mostly focused on the external side of an organization’s network.  This meant firewalls, DNS servers, email servers, and other servers exposed to the outside.  Still an oversight by organizations, application security awareness is finally increasing.  Companies are realizing the potential impact if their public facing web application were hacked.  Nearly every organization has a website.  Even the simple defacing of a website can cause major havoc such as the loss of sales, reputational damage, or even the disclosure of data.

The answer is simple.  If your organization has a website that is public facing or even an internal web interface, it should be tested often and with regularity.  Often times developers design applications to be convenient and easy to use, but simply have an oversight of security controls.  Developers should be familiar with the OWASP and design with the security standard in mind.

Over the next few weeks, we will break down some of these top 10 vulnerabilities in terms that many can understand.  You will find that through a dedicated effort to understand the risk of having these vulnerabilities, you will be able to put additional effort into remediation.  By simply understanding the vulnerabilities, developers can program with the mindset of keeping applications safe.

If you would like to learn more specifically about the OWASP Guidelines and OWASP Top 10, you can visit www.owasp.org or reach out to us at Appalachia Technologies.

Mike Miller is a cybersecurity professional with 25 years of experience throughout the IT industry.  He has focused on security, specializing in the areas of Virtual Chief Information Security Officer services, Governance, Risk, and Compliance, PCI, SOC, Intrusion Detection, Penetration Testing, and Incident Response.  In 2011, Mike founded Cyber Protection Group, which was acquired by Appalachia in 2022.  Mike is passionate about mentoring and assisting aspiring cybersecurity professionals and can be found regularly sharing insight on his LinkedIn profile.  When he isn’t fighting cyber crime, Mike loves spending time with his wife and kids, often boating in the Ozarks.