Who are OWASP?
OWASP (Online Web Application Security Project) is an organisation providing unbiased information and advice surrounding computer and internet applications.
What is the OWASP Top 10 List?
Every few years the OWASP community come together to review the ten most critical web application security risks by analysing vulnerability data spanning hundreds of organisations and over 100,000 real world applications.
This is then published as the "Top 10 Web Application Security Risks", commonly shortened to the "OWASP Top 10", at https://owasp.org/www-project-top-ten/
What is an OWASP Top 10 Web Application Security Risk?
It is important to understand that the ten items produced on this list are risks or categories of things that threaten web applications: they are not individual vulnerabilities. A single risk on the list may be exploitable via dozens of different attack types, and potential hundreds of individual vulnerabilities.
For example, as of the 2017 update, the number 2 item on the list is simply "broken authentication". This covers in reality dozens of types of flaws, including missing passwords, weak passwords, plaintext transmission of passwords, session fixation, unverified password changes and weak password recovery mechanisms, session replay attacks, hardcoded credentials, and many more.
Each of these weaknesses or flaws can in turn exist within hundreds of different software systems, many of which will be uncovered in commercial and open source software and be published as CVEs, and many of which will exist in in-house application code and must be checked for from first principles
Can a single product detect all OWASP Top 10 Web Application Security Risks?
Since the OWASP Top 10 is a general classification system relating to risk categories rather than a specific list of vulnerabilities that can be comprehensively checked, it is not possible for any single product to claim that it finds all OWASP top 10 vulnerabilities, since no such definitive list exists or could ever be created. However, it is possible to examine each risk category and evaluate how robust a given solution is at providing detection coverage for the thousands of different individual vulnerabilities of that type which may exist across hundreds of products.
Does AppCheck detect all OWASP Top 10 Web Application Security Risks?
AppCheck checks for a wide range of vulnerabilities in each Owasp Top 10 category to the maximum extent possible, as outlined in more detail in the informational materials below:
- https://appcheck.zendesk.com/hc/en-us/articles/115002662489-AppCheck-and-the-Owasp-Top-10-Web-Application-Security-Risks-2017-
- https://appcheck-ng.com/wp-content/uploads/AppCheckNG_OWASP_Top10.pdf
- https://appcheck-ng.com/appcheck-vs-owasp-top-10/
However it is important to remember that vulnerability scanning should be only one component (if an incredibly important one) of a wider security solution set. For example, number ten on the 2017 OWASP Top 10 list relates to "insufficient logging and monitoring" - some aspects of this risk category cannot be determined by remote scanning alone and should be partnered with an in-house review of logging and monitoring arrangements, for example.
Comments
0 comments
Article is closed for comments.