What is OWASP?

June 02, 2021



Owasp Logo

The Open Web Application Security Project (OWASP) is a non-profit foundation that aims to improve the security of software.

Introduction

In this blog post, we are going to introduce the general features of OWASP. OWASP tools, sources, and cybersecurity approaches are widely used and are essential for most employees and corporations.
With this guide, you will have a basic understanding of OWASP Cheat Sheets, OWASP Juice Shop, OWASP Mobile Security Testing Guide, OWASP Mobile Top 10, OWASP Top Ten, OWASP Risk Rating Methodology, The Web Security Testing Guide (WSTG), and OWASP Application Security Verification Standard. Before diving into the constituent components of OWASP, it would be good to understand the principles, purpose, and cost of using OWASP first.

Is It Free?

Since OWASP is a non-profit foundation, most of the tools are free and open, not to mention reliable, sources. In addition, it’s reliable. That is probably one of the main reasons that OWASP has reached its mass usage size, reputation, and importance today. As a non-profit foundation, OWASP accepts donations. Users can join the OWASP community by making monthly/annual payments or free for a lifetime. Based on the membership type, users gain privileges like voting in OWASP Global Board elections, training discounts, and access to professional mentoring programs. In a conclusion, OWASP is not managed by commercial interests.

OWASP Cheat Sheet Series

Owasp Cheatsheet Logo

The OWASP Cheat Sheet Series was created to provide a set of simple good practice guides for application developers and defenders to follow. Rather than focusing on detailed best practices that are impractical for many developers and applications, OWASP Cheat Sheet Series is intended to provide useful practices that most developers will actually be able to implement.

OWASP Juice Shop

OWASP JuiceShop Logo

OWASP Juice Shop can be stated as the most modern and at the same time, complex insecure web application. It can be used in security trainings, awareness demonstrations, CTFs, and as a testbed for security software. Juice Shop encompasses vulnerabilities from the entire OWASP Top Ten along with many other security problems seen in real-world applications. Juice Shop is written in Node.js, Express, and Angular. It was the first application written entirely in JavaScript listed in the OWASP Vulnerable Web Applications Directory. The software includes a variety of hacking challenges of different severity in which the user is expected to exploit the underlying flaws. Even though the creator of the project, Björn Kimminich, claims that the initials “JS” matching with those of “JavaScript” was purely coincidental, it is hard to believe that this was much of a coincidence.

OWASP Mobile Security Testing Guide (MSTG)

Image shows OWASP Mobile Security Testing Guide

The MSTG is a systematic manual for iOS and Android mobile app security testing and reverse engineering that includes the following topics:

  • Mobile platform internals
  • Security testing for the mobile application development
  • Security testing, both static and dynamic
  • Reverse engineering and tampering with mobile apps
  • Examining software security

OWASP Mobile Top 10

OWASP Mobile Top 10 consists of the most critical security risks to mobile applications. It represents a broad consensus about the most critical security risks to mobile applications. In 2015, OWASP performed a survey and initiated a Call for Data submission globally. This helped them to analyze and re-categorize the OWASP Mobile Top Ten for 2016. In this way, the top ten categories were more focused on Mobile applications rather than the Server. 2016 OWASP goals included updates to the wiki content (such as cross-linking to testing guides, visual exercises), generation of more data, and a PDF release.

The Top 10 Mobile Risks included:

  1. M1: Improper Platform Usage
  2. M2: Insecure Data Storage
  3. M3: Insecure Communication
  4. M4: Insecure Authentication
  5. M5: Insufficient Cryptography
  6. M6: Insecure Authorization
  7. M7: Client Code Quality
  8. M8: Code Tampering
  9. M9: Reverse Engineering
  10. M10: Extraneous Functionality

OWASP Top 10

If you work in the cybersecurity or software development field, you’ve most probably heard of the famous OWASP Top 10 Security Vulnerabilities. OWASP Top Ten reflects the Top 10 most critical security risks to web applications. It represents a broad consensus about the most critical security risks to web applications. The latest version of the list was shared in 2017:

  1. A1 – Injection
  2. A2 – Broken Authentication
  3. A3 – Sensitive Data Exposure
  4. A4 – XML External Entities (XXE)
  5. A5 – Broken Access Control
  6. A6 – Security Misconfiguration
  7. A7 – Cross-Site Scripting (XSS)
  8. A8 – Insecure Deserialization
  9. A9 – Using Components with Known Vulnerabilities
  10. A10 – Insufficient Logging & Monitoring

Image shows OWASP top 10 which are most critical security risks to web applications

OWASP Risk Rating Methodology

Attackers can take a variety of routes through your application to cause damage to your company or organization. Each of these routes entails a risk that may or may not be significant enough to attract attention.

Image shows OWASP OWASP Risk Rating Path

OWASP Risk Rating Methodology is the procedure of following a path of several steps for the classification of threats. Let’s have a look at these steps:

  • Step 1: Identifying a Risk
  • Step 2: Factors for Estimating Likelihood
  • Step 3: Factors for Estimating Impact
  • Step 4: Determining Severity of the Risk
  • Step 5: Deciding What to Fix
  • Step 6: Customizing Your Risk Rating Model

As you can see, the overall Risk Rating is basically calculated by multiplying two major components - Likelihood and Impact. These two components, as the name suggests, could be explained with two questions, what is the probability of the risk occurring and how much damage it will cause. First, we need to calculate the Likelihood and Impact with two different factors for each. Each of those factors has also four different factors for calculation as you can see in the image below:

Image shows OWASP OWASP Risk Rating Methodology

After calculating the Likelihood and Impact, we need to classify their levels: 0-3 corresponds to Low Level 3-6 corresponds to Medium Level 6-9 corresponds to High Level And finally, we can figure out the estimated threat value of our risk by OWASP standards by finding the intersection of Impact and Likelihood levels by using the table below:

Image shows how to figure out the estimated threat value of our risk by OWASP standards by finding the intersection of Impact and Likelihood levels by using the table.

OWASP Web Security Testing Guide (WSTG)

WSTG serves as a detailed guide to web application and web service security testing that is formed as a result of the combined efforts of cybersecurity experts and committed volunteers.

Penetration testers and companies all across the world utilize WSTG as a guideline for best practices.

OWASP Application Security Verification Standard (ASVS)

Image shows OWASP Application Security Verification Standard

ASVS is used as a model for checking the technical security controls of a web application. Also, it provides a list of specifications for secure development to developers.

The OWASP ASVS is well-known in the cybersecurity community as a comprehensive list of security standards and principles that developers, architects, security experts, testers, and even end-users may use to design, create, and test highly secure applications. The ASVS checklist for security audits consists of the following sections: Architecture, Authentication, Session Management, Access Control, Input Validation, Cryptography at Rest, Error Handling and Logging, Data Protection, Communication Security, Malicious Code, Business Logic, Files and Resources, Web Service and Configuration.