The OWASP top 10 for 2021 is the most updated and most referred to list by cybersecurity professionals the world over. This data-driven compilation is a well-researched set of common vulnerabilities used by cyber attackers; developers and app companies would be wise to build defences against them into their apps.
Open Web Application Security Project (OWASP) is an online community of security research teams and firms that work on improving the security of software.OWASP maintains different lists such as ‘OWASP API Security – Top 10’, ‘OWASP Mobile Top 10’, etc. that target specific vulnerabilities. In order to help the industry keep up with the fast pace set by cyber attackers, the checklist of these vulnerabilities is revised in 3-4 year intervals to cope with new vulnerabilities, so that security standards are revised. Each top 10 list has its own set of internal test cases for developers and security auditors to understand and address the vulnerabilities.
OWASP has become the globally accepted industry standard for maintaining software security and provides articles, methodologies, documentation, tools, and technologies to facilitate web application security, free of cost.
Understanding Common Weaknesses and Common Vulnerabilities and Exposures (CWE and CVE)
Over the years, OWASP has documented and helped enhance information security (Infosec), IT security (IT sec), and Network security (Netsec) by documenting common weaknesses and vulnerabilities. Some of the most common vulnerabilities included in the lists were Cross-Site Scripting (XSS), Distributed Denial of Service (DDoS), SQL injection, Runtime application self-protection (RASP), Broken Access Control, and Security Misconfiguration. These are umbrella terms with many different internal test cases and cheat sheets that are specific to these vulnerabilities. Cheat sheets are regularly improvised and updated elaborative documentation that recommends best practices in various situations.
Denial of Service (DoS) & Distributed Denial of Service (DDoS)is among the most common attacks that plague the vulnerability of security misconfiguration. DDoS occurs when a single attacker system is able to exploit a vulnerability and disrupt service to the end user. Whereas DDoS attacks are much more widespread and harmful to a system. DDoS makes use of victim machines to execute coordinated, simultaneous attacks on a server, disrupting the bandwidth and denying the end user service. These complicated attacks are also very costly as they require a huge amount of bandwidth to execute. Hence, they can be hard to simulate. Companies like Cloudfare offer cloud services that distribute the service to different server locations, making them resistant to DDoS and DoS attacks. Another way to preempt these attacks is to conduct performance tests in the design phase. Performance testing vendors will perform a low test where they hit multiple requests to the server and analyze the performance to provide customers with the peaks & lows to indicate the maximum no. of users the server can withstand in a particular time period. Many e-commerce apps also use limited-time sales to test the bandwidth of their servers. Another feasible way to conduct these performance tests is to hire services on the dark web that have access to the necessary resources to replicate a DDoS attack.
Should cybersecurity professionals use OWASP Top 10 or ASVS (Application Security Verification Standard)
The software security situation in India is especially lax, with most systems being outdated and not equipped even with the most basic antivirus – making them even more susceptible to becoming victim machines. All the more reason for an exhaustive approach that addresses these issues in a systemic manner. At what stage can security teams benefit from the OWASP Top 10? And is this enough?
The OWASP top 10 can be used as a basis for companies to review their application and ensure they are as per the standards, and add relevant security controls to meet these standards. On the other hand, teams can use OWASP Application Security Verification Standard (ASVS) as a guide to come up with comprehensive security requirements while developing the application and ensure to build in relevant security controls and implement required coding standards. ASVS is an exhaustive list of items that give you a recommended approach to follow that is specific to your situation. It is an exclusive document made available for stakeholders, architects, development teams, security testing teams, etc.
Let us take the first phase of any security activity as an example:
Any organization that wants to address security scenarios and risks must start with architectural reviews, and design & threat modeling reviews. They have to have a security software development lifecycle, verify authentication architecture, session management, etc. These topics are then discussed even more elaborately. The easy implementation of the secure software development lifecycle (SSDL) ensures the security standards are maintained and the code is always secure.
ASVS provides different levels (L1, L2, L3) to address data based on their sensitivity. ASVS also contains the ‘OWASP code review guide’ that elaborates on coding-related security patches. The guide provides examples of bad code in different programming languages (Java, .net, python, etc.) and gives instructions and references to review particular vulnerabilities for security auditors. These examples along with the code template, provide direct preemptive fixes for specific vulnerabilities.
OWASP’s ASVS approach is the most thorough and robust approach for you to ensure your security model has no gaps whatsoever. However, because of its exhaustive nature, it is a deep dive that requires a big time commitment; something most companies are running short on. In such situations, acquiring a vendor security audit report stating the app is free from OWASP’s top 10 vulnerabilities will ensure a faster product release. Verifying security as per the OWASP top 10 standards is definitely a basic and effective step to ensure software security as it addresses current industry threats. However, ASVS should be the standard approach as its holistic and robust nature make it the most ideal solution to build security into your app.