The Open Web Application Security Project (OWASP)
Background on OWASP
- Mission is to make software security visible, so that individuals/organizations can make informed decisions.
- Operates as a community of security minded professionals
- OWASP issues software tools and knowledge-based documentation on application security.
- The OWASP Foundation came online on December 1st 2001 it was established as a not-for-profit charitable org
- In the United States on April 21, 2004 to ensure the ongoing availability and support for our work at OWASP.
- OWASP is an international organization and the OWASP Foundation supports OWASP efforts around the world.
OWASP Core Values
- OPEN Everything at OWASP is radically transparent from our finances to our code.
- INNOVATION OWASP encourages and supports innovation and experiments for solutions to software security challenges.
- GLOBAL Anyone around the world is encouraged to participate in the OWASP community.
- INTEGRITY OWASP is an honest and truthful, vendor neutral, global community.
- Free & Open
- Governed by rough consensus & running code
- Abide by a code of ethics (see ethics)
- Not driven by commercial interests
- Risk based approach
OWASP Mailing Lists
OWASP Github Organization
OWASP Member Portal
OWASP Top 10
We will be reviewing the OWASP top 10 list for this workshop
OWASP Top 10 Most Critical Web Application Security Risks (in the Release Candidate) are:
- Broken Authentication and Session Management
- Cross-Site Scripting (XSS)
- Broken Access Control (As it was in 2004)
- Security Misconfiguration
- Sensitive Data Exposure
- Insufficient Attack Protection (NEW)
- Cross-Site Request Forgery (CSRF)
- Using Components with Known Vulnerabilities
- Underprotected APIs (NEW)
OWASP Top 10 comparsion table for 2013 vs 2017
|A1 - Injection||A1 - Injection|
|A2 - Broken Authentication and Session Management||A2 - Broken Authentication and Session Management|
|A3 - Cross-Site Scripting (XSS)||A3 - Cross-Site Scripting (XSS)|
|A4 - Insecure Direct Object References - Merged with A7||A4 - Broken Access Control (Original category in 2003/2004)|
|A5 - Security Misconfiguration||A5 - Security Misconfiguration|
|A6 - Sensitive Data Exposure||A6 - Sensitive Data Exposure|
|A7 - Missing Function Level Access Control - Merged with A4||A7 – Insufficient Attack Protection (NEW)|
|A8 – Cross-Site Request Forgery (CSRF)||A8 – Cross-Site Request Forgery (CSRF)|
|A9 – Using Components with Known Vulnerabilities||A9 – Using Components with Known Vulnerabilities|
|A10 – Unvalidated Redirects and Forwards -Dropped||A10 – UnderprotectedAPIs (NEW)Release NotesRN|
|App Specific||Easy||Widespread||Easy||Severe||App/Business Specific|
|App Specific||Average||Common||Average||Moderate||App/Business Specific|
|App Specific||Difficult||Uncommon||Difficult||Minor||App/Business Specific|