Nigel Brown is the technical director at dotRetailer.com, with over 20 years of industry knowledge and practical experience with a particular interest in eCommerce, Web Security & Azure Cloud technology.
OWASP (The Open Web Application Security Project) is a not-for-profit worldwide charitable organisation focused on improving the security of web application software. Their mission is to make application security visible, so that people and organisations can make informed decisions about true application security risks.
They have recently published their updated list of Top 10 Vulnerabilities that impact web applications. The research is complied from reviewing the security risks of 116,000 applications as well as information obtained from Bug Crowd (Vulnerability Assessment & Bug Bounty Programs organisation).
OWASP rates each risk according to its
- Attack Vectors (Application Specific & Exploitatability)
- Security Weakness (Prevalence & Detectability) &
- Impacts (both Technical & Business)
The OWASP Top 10 list was last updated in 2013, so quite a lot of change since then.
A web application is a very generic term, but basically its everything from your corporate website, eCommerce website, online applications, payment systems, Mobile Apps, API etc.
There are some changes to the previous 2013 list with two entries namely Insecure Direct Object References and Missing Function Level Access Control, merged together into a single category called "Broken Access Control" as well as some new entries XML External Entities XXE, Insecure Deserialization and Insufficient Logging and Monitoring.
OWASP retired Cross-Site Request Forgery (CSRF) along with Unvalidated Redirects and Forward as these are no longer widely an issue in current application development, only appearing in 5% and 8% of applications respectively.
This is the list of the top 10 OWASP vulnerabilities.
SQL Injection still remains the top vulnerability.
It's important to understand the relevance of these vulnerabilities and the impact it will could have on your business.
About Bug Crowd
We cannot recommend dotRetailer.com highly enough for those businesses who need to raise their internet profile.Julie O'Hanlon, Vintage Prints.