The Open Web Application Security Project (OWASP) is a non-profit foundation that aims to improve the security of software.
In this blog post, we are going to introduce the general features of OWASP. OWASP tools, sources, and cybersecurity approaches are widely used and are essential for most employees and corporations.
With this guide, you will have a basic understanding of OWASP Cheat Sheets, OWASP Juice Shop, OWASP Mobile Security Testing Guide, OWASP Mobile Top 10, OWASP Top Ten, OWASP Risk Rating Methodology, The Web Security Testing Guide (WSTG), and OWASP Application Security Verification Standard. Before diving into the constituent components of OWASP, it would be good to understand the principles, purpose, and cost of using OWASP first.
Since OWASP is a non-profit foundation, most of the tools are free and open, not to mention reliable, sources. In addition, it’s reliable. That is probably one of the main reasons that OWASP has reached its mass usage size, reputation, and importance today. As a non-profit foundation, OWASP accepts donations. Users can join the OWASP community by making monthly/annual payments or free for a lifetime. Based on the membership type, users gain privileges like voting in OWASP Global Board elections, training discounts, and access to professional mentoring programs. In a conclusion, OWASP is not managed by commercial interests.
The OWASP Cheat Sheet Series was created to provide a set of simple good practice guides for application developers and defenders to follow. Rather than focusing on detailed best practices that are impractical for many developers and applications, OWASP Cheat Sheet Series is intended to provide useful practices that most developers will actually be able to implement.
The MSTG is a systematic manual for iOS and Android mobile app security testing and reverse engineering that includes the following topics:
- Mobile platform internals
- Security testing for the mobile application development
- Security testing, both static and dynamic
- Reverse engineering and tampering with mobile apps
- Examining software security
OWASP Mobile Top 10 consists of the most critical security risks to mobile applications. It represents a broad consensus about the most critical security risks to mobile applications. In 2015, OWASP performed a survey and initiated a Call for Data submission globally. This helped them to analyze and re-categorize the OWASP Mobile Top Ten for 2016. In this way, the top ten categories were more focused on Mobile applications rather than the Server. 2016 OWASP goals included updates to the wiki content (such as cross-linking to testing guides, visual exercises), generation of more data, and a PDF release.
The Top 10 Mobile Risks included:
- M1: Improper Platform Usage
- M2: Insecure Data Storage
- M3: Insecure Communication
- M4: Insecure Authentication
- M5: Insufficient Cryptography
- M6: Insecure Authorization
- M7: Client Code Quality
- M8: Code Tampering
- M9: Reverse Engineering
- M10: Extraneous Functionality
If you work in the cybersecurity or software development field, you’ve most probably heard of the famous OWASP Top 10 Security Vulnerabilities. OWASP Top Ten reflects the Top 10 most critical security risks to web applications. It represents a broad consensus about the most critical security risks to web applications. The latest version of the list was shared in 2017:
- A1 – Injection
- A2 – Broken Authentication
- A3 – Sensitive Data Exposure
- A4 – XML External Entities (XXE)
- A5 – Broken Access Control
- A6 – Security Misconfiguration
- A7 – Cross-Site Scripting (XSS)
- A8 – Insecure Deserialization
- A9 – Using Components with Known Vulnerabilities
- A10 – Insufficient Logging & Monitoring
Attackers can take a variety of routes through your application to cause damage to your company or organization. Each of these routes entails a risk that may or may not be significant enough to attract attention.
OWASP Risk Rating Methodology is the procedure of following a path of several steps for the classification of threats. Let’s have a look at these steps:
- Step 1: Identifying a Risk
- Step 2: Factors for Estimating Likelihood
- Step 3: Factors for Estimating Impact
- Step 4: Determining Severity of the Risk
- Step 5: Deciding What to Fix
- Step 6: Customizing Your Risk Rating Model
As you can see, the overall Risk Rating is basically calculated by multiplying two major components - Likelihood and Impact. These two components, as the name suggests, could be explained with two questions, what is the probability of the risk occurring and how much damage it will cause. First, we need to calculate the Likelihood and Impact with two different factors for each. Each of those factors has also four different factors for calculation as you can see in the image below:
After calculating the Likelihood and Impact, we need to classify their levels: 0-3 corresponds to Low Level 3-6 corresponds to Medium Level 6-9 corresponds to High Level And finally, we can figure out the estimated threat value of our risk by OWASP standards by finding the intersection of Impact and Likelihood levels by using the table below:
WSTG serves as a detailed guide to web application and web service security testing that is formed as a result of the combined efforts of cybersecurity experts and committed volunteers.
Penetration testers and companies all across the world utilize WSTG as a guideline for best practices.
ASVS is used as a model for checking the technical security controls of a web application. Also, it provides a list of specifications for secure development to developers.
The OWASP ASVS is well-known in the cybersecurity community as a comprehensive list of security standards and principles that developers, architects, security experts, testers, and even end-users may use to design, create, and test highly secure applications. The ASVS checklist for security audits consists of the following sections: Architecture, Authentication, Session Management, Access Control, Input Validation, Cryptography at Rest, Error Handling and Logging, Data Protection, Communication Security, Malicious Code, Business Logic, Files and Resources, Web Service and Configuration.