The Open Web Application Security Project (OWASP) is a non-profit foundation that aims to improve the security of software. OWASP tools, sources, and cybersecurity approaches are widely used and are essential for most employees and corporations.
With this guide, you will have a basic understanding of OWASP Cheat Sheets, OWASP Juice Shop, OWASP Mobile Security Testing Guide, OWASP Mobile Top 10, OWASP Top Ten, OWASP Risk Rating Methodology, The Web Security Testing Guide (WSTG), and OWASP Application Security Verification Standard.
Before diving into the constituent components of OWASP, it would be good to understand the principles, purpose, and cost of using OWASP first.
Is It Free?
Since OWASP is a non-profit foundation, most of the tools are free and open, not to mention reliable, sources. In addition, it’s reliable. That is probably one of the main reasons that OWASP has reached its mass usage size, reputation, and importance today.
As a non-profit foundation, OWASP accepts donations. Users can join the OWASP community by making monthly/annual payments or free for a lifetime. Based on the membership type, users gain privileges like voting in OWASP Global Board elections, training discounts, and access to professional mentoring programs. In conclusion, OWASP is not managed by commercial interests.
OWASP Cheat Sheet Series
The OWASP Cheat Sheet Series is an incredibly valuable resource for application developers and security professionals alike. The series provides concise and actionable information on various topics.
One of the unique aspects of the OWASP Cheat Sheet Series is that it does not focus on detailed best practices that are impractical for many developers and applications. Instead, the series is intended to provide practical, useful practices that most developers will actually be able to implement.
OWASP Juice Shop
OWASP Juice Shop can be stated as the most modern and at the same time, complex insecure web application. You can use it in security training, awareness demonstrations, CTFs, and as a testbed for security software. Juice Shop encompasses vulnerabilities from the entire OWASP Top Ten along with many other security problems seen in real-world applications. Juice Shop is written in Node.js, Express, and Angular. It was the first application written entirely in JavaScript listed in the OWASP Vulnerable Web Applications Directory.
The software includes a variety of hacking challenges of different severity in which the user is expected to exploit the underlying flaws. Even though the creator of the project, Björn Kimminich, claims that the initials “JS” matching with those of “JavaScript” was purely coincidental, it is hard to believe that this was much of a coincidence.
OWASP Mobile Security Testing Guide (MSTG)
The MSTG is a systematic manual for iOS and Android mobile app security testing and reverse engineering that includes the following topics:
- Mobile platform internals.
- Security testing for mobile application development.
- Security testing, both static and dynamic.
- Reverse engineering and tampering with mobile apps.
- Examining software security.
This article may interest you: What is Cloud Security?
OWASP Mobile Top 10
OWASP Mobile Top 10 consists of the most critical security risks to mobile applications. It represents a broad consensus about the most critical security risks to mobile applications. In 2015, OWASP performed a survey and initiated a Call for Data submission globally. This helped them to analyze and re-categorize the OWASP Mobile Top Ten for 2016. In this way, the top ten categories were more focused on Mobile applications rather than the Server.
2016 OWASP goals included updates to the wiki content (such as cross-linking to testing guides, and visual exercises), generation of more data, and a PDF release.
The Top 10 Mobile Risks included:
- M1: Improper Platform Usage
- M2: Insecure Data Storage
- M3: Insecure Communication
- M4: Insecure Authentication
- M5: Insufficient Cryptography
- M6: Insecure Authorization
- M7: Client Code Quality
- M8: Code Tampering
- M9: Reverse Engineering
- M10: Extraneous Functionality
OWASP Top 10
If you work in the cybersecurity or software development field, you’ve most probably heard of the famous OWASP Top 10 Security Vulnerabilities. OWASP Top Ten reflects the Top 10 most critical security risks to web applications. It represents a broad consensus about the most critical security risks to web applications. The latest version of the list was shared in 2017:
- A1 – Injection
- A2 – Broken Authentication
- A3 – Sensitive Data Exposure
- A4 – XML External Entities (XXE)
- A5 – Broken Access Control
- A6 – Security Misconfiguration
- A7 – Cross-Site Scripting (XSS)
- A8 – Insecure Deserialization
- A9 – Using Components with Known Vulnerabilities
- A10 – Insufficient Logging & Monitoring
Also see: A Closer Look at OWASP Top 10 Security Risks & Vulnerabilities
OWASP Risk Rating Methodology
Attackers can take a variety of routes through your application to cause damage to your company or organization. Each of these routes entails a risk that may or may not be significant enough to attract attention.
OWASP Risk Rating Methodology is the procedure of following a path of several steps for the classification of threats. Let’s have a look at these steps:
- Step 1: Identifying a Risk
- Step 2: Factors for Estimating Likelihood
- Step 3: Factors for Estimating Impact
- Step 4: Determining the Severity of the Risk
- Step 5: Deciding What to Fix
- Step 6: Customizing Your Risk Rating Model
As you can see, the overall Risk Rating is basically calculated by multiplying two major components – Likelihood and Impact. These two components, as the name suggests, could be explained with two questions:
- What is the probability of the risk occurring?
- How much damage it will cause?
First, we need to calculate the Likelihood and Impact with two different factors for each. Each of those factors has also four different factors for calculation as you can see in the image below:
After calculating the Likelihood and Impact, we need to classify their levels: 0-3 corresponds to Low Level 3-6 corresponds to Medium Level 6-9 corresponds to High Level and finally, we can figure out the estimated threat value of our risk by OWASP standards by finding the intersection of Impact and Likelihood levels by using the table below:
OWASP Web Security Testing Guide (WSTG)
WSTG serves as a detailed guide to web application and web service security testing that is formed as a result of the combined efforts of cybersecurity experts and committed volunteers.
Penetration testers and companies all across the world utilize WSTG as a guideline for best practices.
OWASP Application Security Verification Standard (ASVS)
ASVS is used as a model for checking the technical security controls of a web application. Also, it provides a list of specifications for secure development to developers.
The OWASP ASVS is well-known in the cybersecurity community as a comprehensive list of security standards and principles that developers, architects, security experts, testers, and even end-users may use to design, create, and test highly secure applications.
The ASVS checklist for security audits consists of the following sections:
- Architecture
- Authentication
- Session Management
- Access Control
- Input Validation
- Cryptography at Rest
- Error Handling and Logging
- Data Protection
- Communication Security
- Malicious Code
- Business Logic
- Files and Resources
- Web Service and Configuration
In summary
The Open Web Application Security Project (OWASP) is a crucial resource for software developers and cybersecurity professionals. With its extensive range of tools, approaches, and sources, OWASP has become a trusted and reliable foundation for many employees and corporations worldwide. Thanks to OWASP, individuals, and organizations can prioritize their cybersecurity efforts and improve their software security.
From the OWASP Cheat Sheets to the OWASP Application Security Verification Standard, each component of OWASP serves a unique purpose in enhancing software security and mitigating risks. By utilizing these resources and following best practices, developers can create more secure applications that protect against a range of vulnerabilities and threats.
To ensure your security, explore our Vulnerability Management and Risk & Compliance services on our website.
