The Open Web Application Security Project (OWASP)

Background on OWASP

  • Mission is to make software security visible, so that individuals/organizations can make informed decisions.
  • Operates as a community of security minded professionals
  • OWASP issues software tools and knowledge-based documentation on application security.
  • The OWASP Foundation came online on December 1st 2001 it was established as a not-for-profit charitable org
  • In the United States on April 21, 2004 to ensure the ongoing availability and support for our work at OWASP.
  • OWASP is an international organization and the OWASP Foundation supports OWASP efforts around the world.

OWASP Core Values

  • OPEN Everything at OWASP is radically transparent from our finances to our code.
  • INNOVATION OWASP encourages and supports innovation and experiments for solutions to software security challenges.
  • GLOBAL Anyone around the world is encouraged to participate in the OWASP community.
  • INTEGRITY OWASP is an honest and truthful, vendor neutral, global community.

OWASP Principles

  • Free & Open
  • Governed by rough consensus & running code
  • Abide by a code of ethics (see ethics)
  • Not-for-profit
  • Not driven by commercial interests
  • Risk based approach

OWASP Mailing Lists

Mailing Lists

OWASP Chapter

Triangle OWASP Chapter

OWASP Membership

OWASP Members

OWASP Projects

OWASP Projects

OWASP Github Organization

OWASP Github

OWASP Member Portal

Member Portal

OWASP Top 10

Top 10

We will be reviewing the OWASP top 10 list for this workshop

OWASP Top 10 Most Critical Web Application Security Risks (in the Release Candidate) are:

  • Injection
  • Broken Authentication and Session Management
  • Cross-Site Scripting (XSS)
  • Broken Access Control (As it was in 2004)
  • Security Misconfiguration
  • Sensitive Data Exposure
  • Insufficient Attack Protection (NEW)
  • Cross-Site Request Forgery (CSRF)
  • Using Components with Known Vulnerabilities
  • Underprotected APIs (NEW)

OWASP Top 10 2017 Release Candidate

OWASP Top 10 comparsion table for 2013 vs 2017

OWASP Top 10 – 2013 (Previous) OWASP Top 10 – 2017 (New)
A1 - Injection A1 - Injection
A2 - Broken Authentication and Session Management A2 - Broken Authentication and Session Management
A3 - Cross-Site Scripting (XSS) A3 - Cross-Site Scripting (XSS)
A4 - Insecure Direct Object References - Merged with A7 A4 - Broken Access Control (Original category in 2003/2004)
A5 - Security Misconfiguration A5 - Security Misconfiguration
A6 - Sensitive Data Exposure A6 - Sensitive Data Exposure
A7 - Missing Function Level Access Control - Merged with A4 A7 – Insufficient Attack Protection (NEW)
A8 – Cross-Site Request Forgery (CSRF) A8 – Cross-Site Request Forgery (CSRF)
A9 – Using Components with Known Vulnerabilities A9 – Using Components with Known Vulnerabilities
A10 – Unvalidated Redirects and Forwards -Dropped A10 – UnderprotectedAPIs (NEW)Release NotesRN
Threat Agents Attack Vectors Weakness Prevalence Weakness Detectability Technical Impacts Business Impacts
App Specific Easy Widespread Easy Severe App/Business Specific
App Specific Average Common Average Moderate App/Business Specific
App Specific Difficult Uncommon Difficult Minor App/Business Specific

results matching ""

    No results matching ""