Messages
Proposals
Get Urgent Writing Help In Your Essays, Assignments, Homeworks, Dissertation, Thesis Or Coursework & Achieve A+ Grades.
Privacy Guaranteed - 100% Plagiarism Free Writing - Free Turnitin Report - Professional And Experienced Writers - 24/7 Online Support
OWASP Top 10 - 2017 The Ten Most Critical Web Application Security Risks
This work is licensed under a
Creative Commons Attribution-ShareAlike 4.0 International Licensehttps://owasp.org
https://creativecommons.org/licenses/by-sa/4.0/
http://creativecommons.org/licenses/by-sa/4.0/
1
Copyright and License
Copyright © 2003 – 2017 The OWASP Foundation
This document is released under the Creative Commons Attribution Share-Alike 4.0 license.
For any reuse or distribution, you must make it clear to others the license terms of this work.
Table of Contents About OWASP
The Open Web Application Security Project (OWASP) is an
open community dedicated to enabling organizations to
develop, purchase, and maintain applications and APIs that
can be trusted.
At OWASP, you'll find free and open:
• Application security tools and standards.
• Complete books on application security testing, secure code development, and secure code review.
• Presentations and videos. • Cheat sheets on many common topics. • Standard security controls and libraries. • Local chapters worldwide. • Cutting edge research. • Extensive conferences worldwide. • Mailing lists.
Learn more at: https://www.owasp.org.
All OWASP tools, documents, videos, presentations, and
chapters are free and open to anyone interested in improving
application security.
We advocate approaching application security as a people,
process, and technology problem, because the most
effective approaches to application security require
improvements in these areas.
OWASP is a new kind of organization. Our freedom from
commercial pressures allows us to provide unbiased,
practical, and cost-effective information about application
security.
OWASP is not affiliated with any technology company,
although we support the informed use of commercial security
technology. OWASP produces many types of materials in a
collaborative, transparent, and open way.
The OWASP Foundation is the non-profit entity that ensures
the project's long-term success. Almost everyone associated
with OWASP is a volunteer, including the OWASP board,
chapter leaders, project leaders, and project members.
We support innovative security research with grants and
infrastructure.
Come join us!
TOC Table of Contents
TOC - About OWASP ……………………………… 1
FW - Foreword …………..………………...……… 2
I - Introduction ………..……………….……..… 3
RN - Release Notes …………..………….…..….. 4
Risk - Application Security Risks…………….…… 5
T10 - OWASP Top 10 Application Security
Risks – 2017 …………..……….....….…… 6
A1:2017 - Injection …….………..……………………… 7
A2:2017 - Broken Authentication ……………………... 8
A3:2017 - Sensitive Data Exposure ………………….. 9
A4:2017 - XML External Entities (XXE) ……………... 10
A5:2017 - Broken Access Control ……………...…….. 11
A6:2017 - Security Misconfiguration ………………….. 12
A7:2017 - Cross-Site Scripting (XSS) ….…………….. 13
A8:2017 - Insecure Deserialization ……………………14
A9:2017 - Using Components with Known
Vulnerabilities .……………………………… 15
A10:2017 - Insufficient Logging & Monitoring….…..….. 16
+D - What’s Next for Developers ….………..….. 17
+T - What’s Next for Security Testers .……..….. 18
+O - What’s Next for Organizations ….....…….... 19
+A - What’s Next for Application Managers ...... 20
+R - Note About Risks ……..……………………. 21
+RF - Details About Risk Factors ……………..…. 22
+DAT - Methodology and Data …..………………… 23
+ACK - Acknowledgements ………………..………. 24
http://creativecommons.org/licenses/by-sa/3.0/
https://www.youtube.com/user/OWASPGLOBAL
https://www.owasp.org/index.php/OWASP_Cheat_Sheet_Series
https://www.owasp.org/index.php/OWASP_Chapter
https://www.owasp.org/index.php/Category:OWASP_AppSec_Conference
https://lists.owasp.org/mailman/listinfo
https://www.owasp.org
2
Foreword
Insecure software is undermining our financial, healthcare, defense, energy, and other critical infrastructure. As our software
becomes increasingly complex, and connected, the difficulty of achieving application security increases exponentially. The
rapid pace of modern software development processes makes the most common risks essential to discover and resolve
quickly and accurately. We can no longer afford to tolerate relatively simple security problems like those presented in this
OWASP Top 10.
A great deal of feedback was received during the creation of the OWASP Top 10 - 2017, more than for any other equivalent
OWASP effort. This shows how much passion the community has for the OWASP Top 10, and thus how critical it is for
OWASP to get the Top 10 right for the majority of use cases.
Although the original goal of the OWASP Top 10 project was simply to raise awareness amongst developers and managers,
it has become the de facto application security standard.
In this release, issues and recommendations are written concisely and in a testable way to assist with the adoption of the
OWASP Top 10 in application security programs. We encourage large and high performing organizations to use the OWASP
Application Security Verification Standard (ASVS) if a true standard is required, but for most, the OWASP Top 10 is a great
start on the application security journey.
We have written up a range of suggested next steps for different users of the OWASP Top 10, including What’s Next for
Developers, What’s Next for Security Testers, What’s Next for Organizations, which is suitable for CIOs and CISOs, and
What’s Next for Application Managers, which is suitable for application managers or anyone responsible for the lifecycle of
the application.
In the long term, we encourage all software development teams and organizations to create an application security program
that is compatible with your culture and technology. These programs come in all shapes and sizes. Leverage your
organization's existing strengths to measure and improve your application security program using the Software Assurance
Maturity Model.
We hope that the OWASP Top 10 is useful to your application security efforts. Please don't hesitate to contact OWASP with
your questions, comments, and ideas at our GitHub project repository:
• https://github.com/OWASP/Top10/issues
You can find the OWASP Top 10 project and translations here:
• https://www.owasp.org/index.php/top10
Lastly, we wish to thank the founding leadership of the OWASP Top 10 project, Dave Wichers and Jeff Williams, for all their
efforts, and believing in us to get this finished with the community's help. Thank you!
• Andrew van der Stock
• Brian Glas
• Neil Smithline
• Torsten Gigler
Project Sponsorship
Thanks to Autodesk for sponsoring the OWASP Top 10 - 2017.
Organizations and individuals that have provided vulnerability prevalence data or other assistance are listed on the
Acknowledgements page.
FW Foreword
https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project
https://www.owasp.org/index.php/OWASP_SAMM_Project
https://github.com/OWASP/Top10/issues
https://www.owasp.org/index.php/top10
https://www.autodesk.com/
3
Welcome to the OWASP Top 10 - 2017!
This major update adds several new issues, including two issues selected by the community - A8:2017-Insecure
Deserialization and A10:2017-Insufficient Logging and Monitoring. Two key differentiators from previous OWASP Top 10
releases are the substantial community feedback and extensive data assembled from dozens of organizations, possibly the
largest amount of data ever assembled in the preparation of an application security standard. This provides us with
confidence that the new OWASP Top 10 addresses the most impactful application security risks currently facing
organizations.
The OWASP Top 10 - 2017 is based primarily on 40+ data submissions from firms that specialize in application security and
an industry survey that was completed by over 500 individuals. This data spans vulnerabilities gathered from hundreds of
organizations and over 100,000 real-world applications and APIs. The Top 10 items are selected and prioritized according to
this prevalence data, in combination with consensus estimates of exploitability, detectability, and impact.
A primary aim of the OWASP Top 10 is to educate developers, designers, architects, managers, and organizations about the
consequences of the most common and most important web application security weaknesses. The Top 10 provides basic
techniques to protect against these high risk problem areas, and provides guidance on where to go from here.
Roadmap for future activities
Don't stop at 10. There are hundreds of issues that could
affect the overall security of a web application as discussed
in the OWASP Developer's Guide and the OWASP Cheat
Sheet Series. These are essential reading for anyone
developing web applications and APIs. Guidance on how to
effectively find vulnerabilities in web applications and APIs
is provided in the OWASP Testing Guide.
Constant change. The OWASP Top 10 will continue to
change. Even without changing a single line of your
application's code, you may become vulnerable as new
flaws are discovered and attack methods are refined.
Please review the advice at the end of the Top 10 in What's
Next For Developers, Security Testers, Organizations, and
Application Managers for more information.
Think positive. When you're ready to stop chasing
vulnerabilities and focus on establishing strong application
security controls, the OWASP Proactive Controls project
provides a starting point to help developers build security
into their application and the OWASP Application Security
Verification Standard (ASVS) is a guide for organizations
and application reviewers on what to verify.
Use tools wisely. Security vulnerabilities can be quite
complex and deeply buried in code. In many cases, the
most cost-effective approach for finding and eliminating
these weaknesses is human experts armed with advanced
tools. Relying on tools alone provides a false sense of
security and is not recommended.
Push left, right, and everywhere. Focus on making
security an integral part of your culture throughout your
development organization. Find out more in the OWASP
Software Assurance Maturity Model (SAMM).
Attribution
We'd like to thank the organizations that contributed their
vulnerability data to support the 2017 update. We received
more than 40 responses to the call for data. For the first
time, all the data contributed to a Top 10 release, and the full
list of contributors is publicly available. We believe this is one
of the larger, more diverse collections of vulnerability data
ever publicly collected.
As there are more contributors than space here, we have
created a dedicated page to recognize the contributions
made. We wish to give heartfelt thanks to these
organizations for being willing to be on the front lines by
publicly sharing vulnerability data from their efforts. We hope
this will continue to grow and encourage more organizations
to do the same and possibly be seen as one of the key
milestones of evidence-based security. The OWASP Top 10 would not be possible without these amazing contributions.
A big thank you to the more than 500 individuals who took
the time to complete the industry ranked survey. Your voice
helped determine two new additions to the Top 10. The
additional comments, notes of encouragement,
and criticisms were all appreciated. We know your time is
valuable and we wanted to say thanks.
We would like to thank those individuals who have
contributed significant constructive comments and time
reviewing this update to the Top 10. As much as possible,
we have listed them on the ‘Acknowledgements’ page.
And finally, we'd like to thank in advance all the translators
out there who will translate this release of the Top 10 into
numerous different languages, helping to make the OWASP
Top 10 more accessible to the entire planet.
I Introduction
https://www.owasp.org/index.php/OWASP_Guide_Project
https://www.owasp.org/index.php/OWASP_Cheat_Sheet_Series
https://www.owasp.org/index.php/OWASP_Testing_Project
https://www.owasp.org/index.php/OWASP_Proactive_Controls
https://www.owasp.org/index.php/ASVS
https://www.owasp.org/index.php/OWASP_SAMM_Project
4
What changed from 2013 to 2017? Change has accelerated over the last four years, and the OWASP Top 10 needed to change. We've completely refactored the OWASP Top 10, revamped the methodology, utilized a new data call process, worked with the community, re-ordered our risks, re- written each risk from the ground up, and added references to frameworks and languages that are now commonly used.
Over the last few years, the fundamental technology and architecture of applications has changed significantly:
• Microservices written in node.js and Spring Boot are replacing traditional monolithic applications. Microservices come with their own security challenges including establishing trust between microservices, containers, secret management, etc. Old code never expected to be accessible from the Internet is now sitting behind an API or RESTful web service to be consumed by Single Page Applications (SPAs) and mobile applications. Architectural assumptions by the code, such as trusted callers, are no longer valid.
• Single page applications, written in JavaScript frameworks such as Angular and React, allow the creation of highly modular feature-rich front ends. Client-side functionality that has traditionally been delivered server-side brings its own security challenges.
• JavaScript is now the primary language of the web with node.js running server side and modern web frameworks such as Bootstrap, Electron, Angular, and React running on the client.
New issues, supported by data:
• A4:2017-XML External Entities (XXE) is a new category primarily supported by source code analysis security testing tools (SAST) data sets.
New issues, supported by the community:
We asked the community to provide insight into two forward looking weakness categories. After over 500 peer submissions, and removing issues that were already supported by data (such as Sensitive Data Exposure and XXE), the two new issues are:
• A8:2017-Insecure Deserialization, which permits remote code execution or sensitive object manipulation on affected platforms.
• A10:2017-Insufficient Logging and Monitoring, the lack of which can prevent or significantly delay malicious activity and breach detection, incident response, and digital forensics.
Merged or retired, but not forgotten:
• A4-Insecure Direct Object References and A7-Missing Function Level Access Control merged into A5:2017-Broken Access Control.
• A8-Cross-Site Request Forgery (CSRF), as many frameworks include CSRF defenses, it was found in only 5% of applications.
• A10-Unvalidated Redirects and Forwards, while found in approximately 8% of applications, it was edged out overall by XXE.
OWASP Top 10 - 2013 OWASP Top 10 - 2017
A1 – Injection A1:2017-Injection
A2 – Broken Authentication and Session Management A2:2017-Broken Authentication
A3 – Cross-Site Scripting (XSS) A3:2017-Sensitive Data Exposure
A4 – Insecure Direct Object References [Merged+A7] ∪ A4:2017-XML External Entities (XXE) [NEW]
A5 – Security Misconfiguration A5:2017-Broken Access Control [Merged]
A6 – Sensitive Data Exposure A6:2017-Security Misconfiguration
A7 – Missing Function Level Access Contr [Merged+A4] ∪ A7:2017-Cross-Site Scripting (XSS)
A8 – Cross-Site Request Forgery (CSRF) A8:2017-Insecure Deserialization [NEW, Community]
A9 – Using Components with Known Vulnerabilities A9:2017-Using Components with Known Vulnerabilities
A10 – Unvalidated Redirects and Forwards A10:2017-Insufficient Logging&Monitoring [NEW,Comm.]
RN Release Notes
https://www.owasp.org/index.php/Source_Code_Analysis_Tools
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
5
What Are Application Security Risks? Attackers can potentially use many different paths through your application to do harm to your business or organization. Each of these paths represents a risk that may, or may not, be serious enough to warrant attention.
Sometimes these paths are trivial to find and exploit, and sometimes they are extremely difficult. Similarly, the harm that is caused may be of no consequence, or it may put you out of business. To determine the risk to your organization, you can evaluate the likelihood associated with each threat agent, attack vector, and security weakness and combine it with an estimate of the technical and business impact to your organization. Together, these factors determine your overall risk.
Weakness
Attack
Threat Agents
ImpactWeakness
Attack
Attack Vectors
Security Weaknesses
Technical Impacts
Business Impacts
Attack
Impact
Impact
Asset
Function
Asset
Weakness
Control
Control
ControlWeakness
Security Controls
Risk Application Security Risks
What’s My Risk? The OWASP Top 10 focuses on identifying the most serious web application security risks for a broad array of organizations. For each of these risks, we provide generic information about likelihood and technical impact using the following simple ratings scheme, which is based on the OWASP Risk Rating Methodology.
In this edition, we have updated the risk rating system to assist in calculating the likelihood and impact of any given risk. For more details, please see Note About Risks.
Each organization is unique, and so are the threat actors for that organization, their goals, and the impact of any breach. If a public interest organization uses a content management system (CMS) for public information and a health system uses that same exact CMS for sensitive health records, the threat actors and business impacts can be very different for the same software. It is critical to understand the risk to your organization based on applicable threat agents and business impacts.
Where possible, the names of the risks in the Top 10 are aligned with Common Weakness Enumeration (CWE) weaknesses to promote generally accepted naming conventions and to reduce confusion.
Threat
Agents Exploitability
Weakness
Prevalence
Weakness
Detectability
Technical
Impacts
Business
Impacts
Appli-
cation
Specific
Easy: 3 Widespread: 3 Easy: 3 Severe: 3
Business
Specific Average: 2 Common: 2 Average: 2 Moderate: 2
Difficult: 1 Uncommon: 1 Difficult: 1 Minor: 1
References
OWASP
• OWASP Risk Rating Methodology
• Article on Threat/Risk Modeling
External
• ISO 31000: Risk Management Std
• ISO 27001: ISMS
• NIST Cyber Framework (US)
• ASD Strategic Mitigations (AU)
• NIST CVSS 3.0
• Microsoft Threat Modelling Tool
https://www.owasp.org/index.php/Top_10
https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology
https://cwe.mitre.org/data/definitions/22.html
https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology
https://www.owasp.org/index.php/Threat_Risk_Modeling
https://www.iso.org/iso-31000-risk-management.html
https://www.iso.org/isoiec-27001-information-security.html
https://www.nist.gov/cyberframework
https://www.asd.gov.au/infosec/mitigationstrategies.htm
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
https://www.microsoft.com/en-us/download/details.aspx?id=49168
6
T10 OWASP Top 10Application Security Risks – 2017 Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
A1:2017- Injection
Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently.
A2:2017-Broken Authentication
Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser.
A3:2017- Sensitive Data
Exposure
Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.
A4:2017-XML External
Entities (XXE)
Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users' accounts, view sensitive files, modify other users’ data, change access rights, etc.
A5:2017-Broken Access Control
Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched and upgraded in a timely fashion.
XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.
A7:2017- Cross-Site
Scripting (XSS)
Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks.
A8:2017- Insecure
Deserialization
Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts.
A9:2017-Using Components with Known
Vulnerabilities
Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.
A10:2017- Insufficient Logging & Monitoring
A6:2017-Security
Misconfiguration
App. Specific Business ?
7
Impacts Threat
Agents Attack
Vectors
Security
Weakness
Example Attack Scenarios Scenario #1: An application uses untrusted data in the construction of the following vulnerable SQL call:
String query = "SELECT * FROM accounts WHERE custID='" + request.getParameter("id") + "'";
Scenario #2: Similarly, an application’s blind trust in frameworks may result in queries that are still vulnerable, (e.g. Hibernate Query Language (HQL)):
Query HQLQuery = session.createQuery("FROM accounts WHERE custID='" + request.getParameter("id") + "'");
In both cases, the attacker modifies the ‘id’ parameter value in their browser to send: ' or '1'='1. For example:
http://example.com/app/accountView?id=' or '1'='1
This changes the meaning of both queries to return all the records from the accounts table. More dangerous attacks could modify or delete data, or even invoke stored procedures.
Is the Application Vulnerable? An application is vulnerable to attack when:
• User-supplied data is not validated, filtered, or sanitized by the application.
• Dynamic queries or non-parameterized calls without context- aware escaping are used directly in the interpreter.
• Hostile data is used within object-relational mapping (ORM) search parameters to extract additional, sensitive records.
• Hostile data is directly used or concatenated, such that the SQL or command contains both structure and hostile data in dynamic queries, commands, or stored procedures.
Some of the more common injections are SQL, NoSQL, OS command, Object Relational Mapping (ORM), LDAP, and Expression Language (EL) or Object Graph Navigation Library (OGNL) injection. The concept is identical among all interpreters. Source code review is the best method of detecting if applications are vulnerable to injections, closely followed by thorough automated testing of all parameters, headers, URL, cookies, JSON, SOAP, and XML data inputs. Organizations can include static source (SAST) and dynamic application test (DAST) tools into the CI/CD pipeline to identify newly introduced injection flaws prior to production deployment.
References OWASP • OWASP Proactive Controls: Parameterize Queries
• OWASP ASVS: V5 Input Validation and Encoding
• OWASP Testing Guide: SQL Injection, Command Injection, ORM injection
• OWASP Cheat Sheet: Injection Prevention
• OWASP Cheat Sheet: SQL Injection Prevention
• OWASP Cheat Sheet: Injection Prevention in Java
• OWASP Cheat Sheet: Query Parameterization
• OWASP Automated Threats to Web Applications – OAT-014
External • CWE-77: Command Injection
• CWE-89: SQL Injection
• CWE-564: Hibernate Injection
• CWE-917: Expression Language Injection
• PortSwigger: Server-side template injection
How to Prevent Preventing injection requires keeping data separate from commands and queries.
• The preferred option is to use a safe API, which avoids the use of the interpreter entirely or provides a parameterized interface, or migrate to use Object Relational Mapping Tools (ORMs). Note: Even when parameterized, stored procedures can still introduce SQL injection if PL/SQL or T-SQL concatenates queries and data, or executes hostile data with EXECUTE IMMEDIATE or exec().
• Use positive or "whitelist" server-side input validation. This is not a complete defense as many applications require special characters, such as text areas or APIs for mobile applications.
• For any residual dynamic queries, escape special characters using the specific escape syntax for that interpreter. Note: SQL structure such as table names, column names, and so on cannot be escaped, and thus user-supplied structure names are dangerous. This is a common issue in report-writing software.
• Use LIMIT and other SQL controls within queries to prevent mass disclosure of records in case of SQL injection.
A1 :2017
Injection
Exploitability: 3 Prevalence: 2 Detectability: 3 Technical: 3
Almost any source of data can be an injection vector, environment variables, parameters, external and internal web services, and all types of users. Injection flaws occur when an attacker can send hostile data to an interpreter.
Injection flaws are very prevalent, particularly in legacy code. Injection vulnerabilities are often found in SQL, LDAP, XPath, or NoSQL queries, OS commands, XML parsers, SMTP headers, expression languages, and ORM queries.
Injection flaws are easy to discover when examining code. Scanners and fuzzers can help attackers find injection flaws.
Injection can result in data loss, corruption, or disclosure to unauthorized parties, loss of accountability, or denial of access. Injection can sometimes lead to complete host takeover.
The business impact depends on the needs of the application and data.
https://www.owasp.org/index.php/Source_Code_Analysis_Tools
https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools
https://www.owasp.org/index.php/OWASP_Proactive_Controls#2:_Parameterize_Queries
https://www.owasp.org/index.php/ASVS_V5_Input_validation_and_output_encoding
https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)
https://www.owasp.org/index.php/Testing_for_Command_Injection_(OTG-INPVAL-013)
https://www.owasp.org/index.php/Testing_for_ORM_Injection_(OTG-INPVAL-007)
https://www.owasp.org/index.php/Injection_Prevention_Cheat_Sheet
https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
https://www.owasp.org/index.php/Injection_Prevention_Cheat_Sheet_in_Java
https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet
https://www.owasp.org/index.php/OWASP_Automated_Threats_to_Web_Applications
https://cwe.mitre.org/data/definitions/77.html
https://cwe.mitre.org/data/definitions/89.html
https://cwe.mitre.org/data/definitions/564.html
https://cwe.mitre.org/data/definitions/917.html
https://portswigger.net/kb/issues/00101080_serversidetemplateinjection
(https:/portswigger.net/kb/issues/00101080_serversidetemplateinjection)
https://www.owasp.org/index.php/Injection_Flaws
App. Specific Business ?
8
Impacts Threat
Agents Attack
Vectors
Security
Weakness
Example Attack Scenarios Scenario #1: Credential stuffing, the use of lists of known passwords, is a common attack. If an application does not implement automated threat or credential stuffing protections, the application can be used as a password oracle to determine if the credentials are valid.
Scenario #2: Most authentication attacks occur due to the continued use of passwords as a sole factor. Once considered best practices, password rotation and complexity requirements are viewed as encouraging users to use, and reuse, weak passwords. Organizations are recommended to stop these practices per NIST 800-63 and use multi-factor authentication.
Scenario #3: Application session timeouts aren’t set properly. A user uses a public computer to access an application. Instead of selecting “logout” the user simply closes the browser tab and walks away. An attacker uses the same browser an hour later, and the user is still authenticated.
Is the Application Vulnerable? Confirmation of the user's identity, authentication, and session management are critical to protect against authentication-related attacks.
There may be authentication weaknesses if the application:
• Permits automated attacks such as credential stuffing, where the attacker has a list of valid usernames and passwords.
• Permits brute force or other automated attacks.
• Permits default, weak, or well-known passwords, such as "Password1" or "admin/admin“.
• Uses weak or ineffective credential recovery and forgot- password processes, such as "knowledge-based answers", which cannot be made safe.
• Uses plain text, encrypted, or weakly hashed passwords (see A3:2017-Sensitive Data Exposure).
• Has missing or ineffective multi-factor authentication.
• Exposes Session IDs in the URL (e.g., URL rewriting).
• Does not rotate Session IDs after successful login.
• Does not properly invalidate Session IDs. User sessions or authentication tokens (particularly single sign-on (SSO) tokens) aren’t properly invalidated during logout or a period of inactivity.
References OWASP • OWASP Proactive Controls: Implement Identity and
Authentication Controls
• OWASP ASVS: V2 Authentication, V3 Session Management
• OWASP Testing Guide: Identity, Authentication
• OWASP Cheat Sheet: Authentication
• OWASP Cheat Sheet: Credential Stuffing
• OWASP Cheat Sheet: Forgot Password
• OWASP Cheat Sheet: Session Management
• OWASP Automated Threats Handbook
External • NIST 800-63b: 5.1.1 Memorized Secrets
• CWE-287: Improper Authentication
• CWE-384: Session Fixation
How to Prevent • Where possible, implement multi-factor authentication to
prevent automated, credential stuffing, brute force, and stolen credential re-use attacks.
• Do not ship or deploy with any default credentials, particularly for admin users.
• Implement weak-password checks, such as testing new or changed passwords against a list of the top 10000 worst passwords.
• Align password length, complexity and rotation policies with NIST 800-63 B's guidelines in section 5.1.1 for Memorized Secrets or other modern, evidence based password policies.
• Ensure registration, credential recovery, and API pathways are hardened against account enumeration attacks by using the same messages for all outcomes.
• Limit or increasingly delay failed login attempts. Log all failures and alert administrators when credential stuffing, brute force, or other attacks are detected.
• Use a server-side, secure, built-in session manager that generates a new random session ID with high entropy after login. Session IDs should not be in the URL, be securely stored and invalidated after logout, idle, and absolute timeouts.
A2 :2017
Broken Authentication
Exploitability: 3 Prevalence: 2 Detectability: 2 Technical: 3
Attackers have access to hundreds of millions of valid username and password combinations for credential stuffing, default administrative account lists, automated brute force, and dictionary attack tools. Session management attacks are well understood, particularly in relation to unexpired session tokens.
The prevalence of broken authentication is widespread due to the design and implementation of most identity and access controls. Session manage- ment is the bedrock of authentication and access controls, and is present in all stateful applications.
Attackers can detect broken authentication using manual means and exploit them using automated tools with password lists and dictionary attacks.
Attackers have to gain access to only
a few accounts, or just one admin
account to compromise the system.
Depending on the domain of the
application, this may allow money
laundering, social security fraud, and
identity theft, or disclose legally
protected highly sensitive information.
https://www.owasp.org/index.php/Credential_stuffing
https://github.com/danielmiessler/SecLists
https://www.owasp.org/index.php/Credential_stuffing
https://www.owasp.org/index.php/OWASP_Proactive_Controls#5:_Implement_Identity_and_Authentication_Controls
http:// Authentication
https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project#tab=Home
https://www.owasp.org/index.php/Testing_Identity_Management
https://www.owasp.org/index.php/Testing_for_authentication
https://www.owasp.org/index.php/Authentication_Cheat_Sheet
https://www.owasp.org/index.php/Credential_Stuffing_Prevention_Cheat_Sheet
https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet
https://www.owasp.org/index.php/Credential_Stuffing_Prevention_Cheat_Sheet
https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet
https://www.owasp.org/index.php/OWASP_Automated_Threats_to_Web_Applications
https://www.owasp.org/index.php/OWASP_Automated_Threats_to_Web_Applications
https://pages.nist.gov/800-63-3/sp800-63b.html#memsecret
https://cwe.mitre.org/data/definitions/287.html
https://cwe.mitre.org/data/definitions/384.html
https://github.com/danielmiessler/SecLists/tree/master/Passwords
https://pages.nist.gov/800-63-3/sp800-63b.html#memsecret
App. Specific Business ?
9
Impacts Threat
Agents Attack
Vectors
Security
Weakness
Example Attack Scenarios Scenario #1: An application encrypts credit card numbers in a database using automatic database encryption. However, this data is automatically decrypted when retrieved, allowing an SQL injection flaw to retrieve credit card numbers in clear text.
Scenario #2: A site doesn't use or enforce TLS for all pages or supports weak encryption. An attacker monitors network traffic (e.g. at an insecure wireless network), downgrades connections from HTTPS to HTTP, intercepts requests, and steals the user's session cookie. The attacker then replays this cookie and hijacks the user's (authenticated) session, accessing or modifying the user's private data. Instead of the above they could alter all transported data, e.g. the recipient of a money transfer.
Scenario #3: The password database uses unsalted or simple hashes to store everyone's passwords. A file upload flaw allows an attacker to retrieve the password database. All the unsalted hashes can be exposed with a rainbow table of pre-calculated hashes. Hashes generated by simple or fast hash functions may be cracked by GPUs, even if they were salted.
Is the Application Vulnerable? The first thing is to determine the protection needs of data in transit and at rest. For example, passwords, credit card numbers, health records, personal information and business secrets require extra protection, particularly if that data falls under privacy laws, e.g. EU's General Data Protection Regulation (GDPR), or regulations, e.g. financial data protection such as PCI Data Security Standard (PCI DSS). For all such data:
• Is any data transmitted in clear text? This concerns protocols such as HTTP, SMTP, and FTP. External internet traffic is especially dangerous. Verify all internal traffic e.g. between load balancers, web servers, or back-end systems.
• Is sensitive data stored in clear text, including backups?
• Are any old or weak cryptographic algorithms used either by default or in older code?
• Are default crypto keys in use, weak crypto keys generated or re-used, or is proper key management or rotation missing?
• Is encryption not enforced, e.g. are any user agent (browser) security directives or headers missing?
• Does the user agent (e.g. app, mail client) not verify if the received server certificate is valid?
See ASVS Crypto (V7), Data Prot (V9) and SSL/TLS (V10)
References OWASP • OWASP Proactive Controls: Protect Data
• OWASP Application Security Verification Standard (V7,9,10)
• OWASP Cheat Sheet: Transport Layer Protection
• OWASP Cheat Sheet: User Privacy Protection
• OWASP Cheat Sheets: Password and Cryptographic Storage
• OWASP Security Headers Project; Cheat Sheet: HSTS
• OWASP Testing Guide: Testing for weak cryptography
External • CWE-220: Exposure of sens. information through data queries
• CWE-310: Cryptographic Issues; CWE-311: Missing Encryption
• CWE-312: Cleartext Storage of Sensitive Information
• CWE-319: Cleartext Transmission of Sensitive Information
• CWE-326: Weak Encryption; CWE-327: Broken/Risky Crypto
• CWE-359: Exposure of Private Information (Privacy Violation)
How to Prevent Do the following, at a minimum, and consult the references:
• Classify data processed, stored, or transmitted by an application. Identify which data is sensitive according to privacy laws, regulatory requirements, or business needs.
• Apply controls as per the classification.
• Don’t store sensitive data unnecessarily. Discard it as soon as possible or use PCI DSS compliant tokenization or even truncation. Data that is not retained cannot be stolen.
• Make sure to encrypt all sensitive data at rest.
• Ensure up-to-date and strong standard algorithms, protocols, and keys are in place; use proper key management.
• Encrypt all data in transit with secure protocols such as TLS with perfect forward secrecy (PFS) ciphers, cipher prioritization by the server, and secure parameters. Enforce encryption using directives like HTTP Strict Transport Security (HSTS).
• Disable caching for responses that contain sensitive data.
• Store passwords using strong adaptive and salted hashing functions with a work factor (delay factor), such as Argon2, scrypt, bcrypt, or PBKDF2.
• Verify independently the effectiveness of configuration and settings.
A3 :2017
Sensitive Data Exposure
Exploitability: 2 Prevalence: 3 Detectability: 2 Technical: 3
Rather than directly attacking crypto, attackers steal keys, execute man-in- the-middle attacks, or steal clear text data off the server, while in transit, or from the user’s client, e.g. browser. A manual attack is generally required. Previously retrieved password databases could be brute forced by Graphics Processing Units (GPUs).
Over the last few years, this has been the most common impactful attack. The most common flaw is simply not encrypting sensitive data. When crypto is employed, weak key generation and management, and weak algorithm, protocol and cipher usage is common, particularly for weak password hashing storage techniques. For data in transit, server side weaknesses are mainly easy to detect, but hard for data at rest.
Failure frequently compromises all data that should have been protected. Typically, this information includes sensitive personal information (PII) data such as health records, creden- tials, personal data, and credit cards, which often require protection as defined by laws or regulations such as the EU GDPR or local privacy laws.
https://www.owasp.org/index.php/ASVS_V7_Cryptography
https://www.owasp.org/index.php/ASVS_V9_Data_Protection
https://www.owasp.org/index.php/ASVS_V10_Communications
https://www.owasp.org/index.php/OWASP_Proactive_Controls#7:_Protect_Data
https://www.owasp.org/index.php/ASVS_V7_Cryptography
https://www.owasp.org/index.php/ASVS_V9_Data_Protection
https://www.owasp.org/index.php/ASVS_V10_Communications
https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet
https://www.owasp.org/index.php/User_Privacy_Protection_Cheat_Sheet
https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet
https://www.owasp.org/index.php/User_Privacy_Protection_Cheat_Sheet
https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet
https://www.owasp.org/index.php/OWASP_Secure_Headers_Project
https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet
https://www.owasp.org/index.php/Testing_for_weak_Cryptography
http://cwe.mitre.org/data/definitions/310.html
http://cwe.mitre.org/data/definitions/310.html
http://cwe.mitre.org/data/definitions/311.html
http://cwe.mitre.org/data/definitions/312.html
http://cwe.mitre.org/data/definitions/319.html
http://cwe.mitre.org/data/definitions/326.html
http://cwe.mitre.org/data/definitions/326.html
https://cwe.mitre.org/data/definitions/359.html
https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet
https://www.cryptolux.org/index.php/Argon2
https://wikipedia.org/wiki/Scrypt
https://wikipedia.org/wiki/Bcrypt
https://wikipedia.org/wiki/PBKDF2
App. Specific Business ?
10
Impacts Threat
Agents Attack
Vectors
Security
Weakness
Example Attack Scenarios Numerous public XXE issues have been discovered, including
attacking embedded devices. XXE occurs in a lot of unexpected
places, including deeply nested dependencies. The easiest way
is to upload a malicious XML file, if accepted:
Scenario #1: The attacker attempts to extract data from the server:
]>
Scenario #2: An attacker probes the server's private network by changing the above ENTITY line to:
]>
Scenario #3: An attacker attempts a denial-of-service attack by including a potentially endless file:
]>
Is the Application Vulnerable? Applications and in particular XML-based web services or downstream integrations might be vulnerable to attack if:
• The application accepts XML directly or XML uploads, especially from untrusted sources, or inserts untrusted data into XML documents, which is then parsed by an XML processor.
• Any of the XML processors in the application or SOAP based web services has document type definitions (DTDs) enabled. As the exact mechanism for disabling DTD processing varies by processor, it is good practice to consult a reference such as the OWASP Cheat Sheet 'XXE Prevention’.
• If your application uses SAML for identity processing within
federated security or single sign on (SSO) purposes. SAML
uses XML for identity assertions, and may be vulnerable.
• If the application uses SOAP prior to version 1.2, it is likely
susceptible to XXE attacks if XML entities are being passed to
the SOAP framework.
• Being vulnerable to XXE attacks likely means that the application is vulnerable to denial of service attacks including the Billion Laughs attack.
References OWASP • OWASP Application Security Verification Standard
• OWASP Testing Guide: Testing for XML Injection
• OWASP XXE Vulnerability
• OWASP Cheat Sheet: XXE Prevention
• OWASP Cheat Sheet: XML Security
External • CWE-611: Improper Restriction of XXE
• Billion Laughs Attack
• SAML Security XML External Entity Attack
• Detecting and exploiting XXE in SAML Interfaces
How to Prevent Developer training is essential to identify and mitigate XXE.
Besides that, preventing XXE requires:
• Whenever possible, use less complex data formats such as JSON, and avoiding serialization of sensitive data.
• Patch or upgrade all XML processors and libraries in use by the application or on the underlying operating system. Use dependency checkers. Update SOAP to SOAP 1.2 or higher.
• Disable XML external entity and DTD processing in all XML parsers in the application, as per the OWASP Cheat Sheet 'XXE Prevention'.
• Implement positive ("whitelisting") server-side input validation, filtering, or sanitization to prevent hostile data within XML documents, headers, or nodes.
• Verify that XML or XSL file upload functionality validates incoming XML using XSD validation or similar.
• SAST tools can help detect XXE in source code, although manual code review is the best alternative in large, complex applications with many integrations.
If these controls are not possible, consider using virtual patching, API security gateways, or Web Application Firewalls (WAFs) to detect, monitor, and block XXE attacks.
A4 :2017
XML External Entities (XXE)
Exploitability: 2 Prevalence: 2 Detectability: 3 Technical: 3
Attackers can exploit vulnerable XML processors if they can upload XML or include hostile content in an XML document, exploiting vulnerable code, dependencies or integrations.
By default, many older XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing.
SAST tools can discover this issue by inspecting dependencies and configuration. DAST tools require additional manual steps to detect and exploit this issue. Manual testers need to be trained in how to test for XXE, as it not commonly tested as of 2017.
These flaws can be used to extract data, execute a remote request from the server, scan internal systems, perform a denial-of-service attack, as well as execute other attacks.
The business impact depends on the protection needs of all affected application and data.
https://www.w3schools.com/xml/xml_dtd_intro.asp
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet
https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project#tab=Home
https://www.owasp.org/index.php/Testing_for_XML_Injection_(OTG-INPVAL-008)
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet
https://www.owasp.org/index.php/XML_Security_Cheat_Sheet
https://cwe.mitre.org/data/definitions/611.html
http://blog.ioactive.com/2014/11/die-laughing-from-billion-laughs.html
https://secretsofappsecurity.blogspot.tw/2017/01/saml-security-xml-external-entity-attack.html
https://web-in-security.blogspot.tw/2014/11/detecting-and-exploiting-xxe-in-saml.html
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet
https://www.owasp.org/index.php/Source_Code_Analysis_Tools
https://www.owasp.org/index.php/Source_Code_Analysis_Tools
https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools
App. Specific Business ?
11
Impacts Threat
Agents Attack
Vectors
Security
Weakness
Example Attack Scenarios Scenario #1: The application uses unverified data in a SQL call that is accessing account information:
pstmt.setString(1, request.getParameter("acct"));
ResultSet results = pstmt.executeQuery( );
An attacker simply modifies the 'acct' parameter in the browser to send whatever account number they want. If not properly verified, the attacker can access any user's account.
http://example.com/app/accountInfo?acct=notmyacct
Scenario #2: An attacker simply force browses to target URLs. Admin rights are required for access to the admin page.
http://example.com/app/getappInfo
http://example.com/app/admin_getappInfo
If an unauthenticated user can access either page, it’s a flaw. If a non-admin can access the admin page, this is a flaw.
Is the Application Vulnerable? Access control enforces policy such that users cannot act
outside of their intended permissions. Failures typically lead to
unauthorized information disclosure, modification or destruction
of all data, or performing a business function outside of the limits
of the user. Common access control vulnerabilities include:
• Bypassing access control checks by modifying the URL,
internal application state, or the HTML page, or simply using a
custom API attack tool.
• Allowing the primary key to be changed to another users
record, permitting viewing or editing someone else's account.
• Elevation of privilege. Acting as a user without being logged in,
or acting as an admin when logged in as a user.
• Metadata manipulation, such as replaying or tampering with a
JSON Web Token (JWT) access control token or a cookie or
hidden field manipulated to elevate privileges, or abusing JWT
invalidation
• CORS misconfiguration allows unauthorized API access.
• Force browsing to authenticated pages as an unauthenticated
user or to privileged pages as a standard user. Accessing API
with missing access controls for POST, PUT and DELETE.
References OWASP • OWASP Proactive Controls: Access Controls
• OWASP Application Security Verification Standard: V4 Access Control
• OWASP Testing Guide: Authorization Testing
• OWASP Cheat Sheet: Access Control
External • CWE-22: Improper Limitation of a Pathname to a Restricted
Directory ('Path Traversal')
• CWE-284: Improper Access Control (Authorization)
• CWE-285: Improper Authorization
• CWE-639: Authorization Bypass Through User-Controlled Key
• PortSwigger: Exploiting CORS Misconfiguration
How to Prevent Access control is only effective if enforced in trusted server-side code or server-less API, where the attacker cannot modify the access control check or metadata.
• With the exception of public resources, deny by default.
• Implement access control mechanisms once and re-use them throughout the application, including minimizing CORS usage.
• Model access controls should enforce record ownership, rather than accepting that the user can create, read, update, or delete any record.
• Unique application business limit requirements should be enforced by domain models.
• Disable web server directory listing and ensure file metadata (e.g. .git) and backup files are not present within web roots.
• Log access control failures, alert admins when appropriate (e.g. repeated failures).
• Rate limit API and controller access to minimize the harm from automated attack tooling.
• JWT tokens should be invalidated on the server after logout.
Developers and QA staff should include functional access control unit and integration tests.
A5 :2017
Broken Access Control
Exploitability: 2 Prevalence: 2 Detectability: 2 Technical: 3
Exploitation of access control is a core skill of attackers. SAST and DAST tools can detect the absence of access control but cannot verify if it is functional when it is present. Access control is detectable using manual means, or possibly through automation for the absence of access controls in certain frameworks.
Access control weaknesses are common due to the lack of automated detection, and lack of effective functional testing by application developers.
Access control detection is not typically amenable to automated static or dynamic testing. Manual testing is the best way to detect missing or ineffective access control, including HTTP method (GET vs PUT, etc), controller, direct object references, etc.
The technical impact is attackers acting as users or administrators, or users using privileged functions, or creating, accessing, updating or deleting every record.
The business impact depends on the protection needs of the application and data.
https://www.owasp.org/index.php/OWASP_Proactive_Controls#6:_Implement_Access_Controls
https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project#tab=Home
https://www.owasp.org/index.php/Testing_for_Authorization
https://www.owasp.org/index.php/Access_Control_Cheat_Sheet
https://cwe.mitre.org/data/definitions/22.html
https://cwe.mitre.org/data/definitions/284.html
https://cwe.mitre.org/data/definitions/285.html
https://cwe.mitre.org/data/definitions/639.html
https://portswigger.net/blog/exploiting-cors-misconfigurations-for-bitcoins-and-bounties
https://www.owasp.org/index.php/Source_Code_Analysis_Tools
https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools
App. Specific Business ?
12
Impacts Threat
Agents Attack
Vectors
Security
Weakness
Example Attack Scenarios Scenario #1: The application server comes with sample applications that are not removed from the production server. These sample applications have known security flaws attackers use to compromise the server. If one of these applications is the admin console, and default accounts weren’t changed the attacker logs in with default passwords and takes over.
Scenario #2: Directory listing is not disabled on the server. An attacker discovers they can simply list directories. The attacker finds and downloads the compiled Java classes, which they decompile and reverse engineer to view the code. The attacker then finds a serious access control flaw in the application.
Scenario #3: The application server’s configuration allows de- tailed error messages, e.g. stack traces, to be returned to users. This potentially exposes sensitive information or underlying flaws such as component versions that are known to be vulnerable.
Scenario #4: A cloud service provider has default sharing permissions open to the Internet by other CSP users. This allows sensitive data stored within cloud storage to be accessed.
Is the Application Vulnerable? The application might be vulnerable if the application is:
• Missing appropriate security hardening across any part of the application stack, or improperly configured permissions on cloud services.
• Unnecessary features are enabled or installed (e.g. unnecessary ports, services, pages, accounts, or privileges).
• Default accounts and their passwords still enabled and unchanged.
• Error handling reveals stack traces or other overly informative error messages to users.
• For upgraded systems, latest security features are disabled or not configured securely.
• The security settings in the application servers, application frameworks (e.g. Struts, Spring, ASP.NET), libraries, databases, etc. not set to secure values.
• The server does not send security headers or directives or they are not set to secure values.
• The software is out of date or vulnerable (see A9:2017-Using Components with Known Vulnerabilities).
Without a concerted, repeatable application security configuration process, systems are at a higher risk.
References OWASP • OWASP Testing Guide: Configuration Management
• OWASP Testing Guide: Testing for Error Codes
• OWASP Security Headers Project
For additional requirements in this area, see the Application Security Verification Standard V19 Configuration.
External • NIST Guide to General Server Hardening
• CWE-2: Environmental Security Flaws
• CWE-16: Configuration
• CWE-388: Error Handling
• CIS Security Configuration Guides/Benchmarks
• Amazon S3 Bucket Discovery and Enumeration
How to Prevent Secure installation processes should be implemented, including:
• A repeatable hardening process that makes it fast and easy to deploy another environment that is properly locked down. Development, QA, and production environments should all be configured identically, with different credentials used in each environment. This process should be automated to minimize the effort required to setup a new secure environment.
• A minimal platform without any unnecessary features, components, documentation, and samples. Remove or do not install unused features and frameworks.
• A task to review and update the configurations appropriate to all security notes, updates and patches as part of the patch management process (see A9:2017-Using Components with Known Vulnerabilities). In particular, review cloud storage permissions (e.g. S3 bucket permissions).
• A segmented application architecture that provides effective, secure separation between components or tenants, with segmentation, containerization, or cloud security groups.
• Sending security directives to clients, e.g. Security Headers.
• An automated process to verify the effectiveness of the configurations and settings in all environments.
A6 :2017
Security Misconfiguration
Exploitability: 3 Prevalence: 3 Detectability: 3 Technical: 2
Attackers will often attempt to exploit unpatched flaws or access default accounts, unused pages, unprotected files and directories, etc to gain unauthorized access or knowledge of the system.
Security misconfiguration can happen at any level of an application stack, including the network services, platform, web server, application server, database, frameworks, custom code, and pre-installed virtual machines, containers, or storage. Automated scanners are useful for detecting misconfigurations, use of default accounts or configurations, unnecessary services, legacy options, etc.
Such flaws frequently give attackers unauthorized access to some system data or functionality. Occasionally, such flaws result in a complete system compromise.
The business impact depends on the protection needs of the application and data.
https://www.owasp.org/index.php/Testing_for_configuration_management
https://www.owasp.org/index.php/Testing_for_Error_Code_(OWASP-IG-006)
https://www.owasp.org/index.php/OWASP_Secure_Headers_Project
https://www.owasp.org/index.php/ASVS_V19_Configuration
https://csrc.nist.gov/publications/detail/sp/800-123/final
https://cwe.mitre.org/data/definitions/2.html
https://cwe.mitre.org/data/definitions/2.html
https://cwe.mitre.org/data/definitions/16.html
https://cwe.mitre.org/data/definitions/388.html
https://www.cisecurity.org/cis-benchmarks/
https://blog.websecurify.com/2017/10/aws-s3-bucket-discovery.html
https://www.owasp.org/index.php/OWASP_Secure_Headers_Project
App. Specific Business ?
13
Impacts Threat
Agents Attack
Vectors
Security
Weakness
Example Attack Scenario Scenario 1: The application uses untrusted data in the construction of the following HTML snippet without validation or escaping:
(String) page += "";
The attacker modifies the ‘CC’ parameter in the browser to:
'>'.
This attack causes the victim’s session ID to be sent to the attacker’s website, allowing the attacker to hijack the user’s current session.
Note: Attackers can use XSS to defeat any automated Cross- Site Request Forgery ( CSRF) defense the application might employ.
Is the Application Vulnerable? There are three forms of XSS, usually targeting users' browsers:
Reflected XSS: The application or API includes unvalidated and unescaped user input as part of HTML output. A successful attack can allow the attacker to execute arbitrary HTML and JavaScript in the victim’s browser. Typically the user will need to interact with some malicious link that points to an attacker- controlled page, such as malicious watering hole websites, advertisements, or similar.
Stored XSS: The application or API stores unsanitized user input that is viewed at a later time by another user or an administrator. Stored XSS is often considered a high or critical risk.
DOM XSS: JavaScript frameworks, single-page applications, and APIs that dynamically include attacker-controllable data to a page are vulnerable to DOM XSS. Ideally, the application would not send attacker-controllable data to unsafe JavaScript APIs.
Typical XSS attacks include session stealing, account takeover, MFA bypass, DOM node replacement or defacement (such as trojan login panels), attacks against the user's browser such as malicious software downloads, key logging, and other client-side attacks.
References OWASP • OWASP Proactive Controls: Encode Data
• OWASP Proactive Controls: Validate Data
• OWASP Application Security Verification Standard: V5
• OWASP Testing Guide: Testing for Reflected XSS
• OWASP Testing Guide: Testing for Stored XSS
• OWASP Testing Guide: Testing for DOM XSS
• OWASP Cheat Sheet: XSS Prevention
• OWASP Cheat Sheet: DOM based XSS Prevention
• OWASP Cheat Sheet: XSS Filter Evasion
• OWASP Java Encoder Project
External • CWE-79: Improper neutralization of user supplied input
• PortSwigger: Client-side template injection
How to Prevent Preventing XSS requires separation of untrusted data from active browser content. This can be achieved by:
• Using frameworks that automatically escape XSS by design, such as the latest Ruby on Rails, React JS. Learn the limitations of each framework's XSS protection and appropriately handle the use cases which are not covered.
• Escaping untrusted HTTP request data based on the context in the HTML output (body, attribute, JavaScript, CSS, or URL) will resolve Reflected and Stored XSS vulnerabilities. The OWASP Cheat Sheet 'XSS Prevention' has details on the required data escaping techniques.
• Applying context-sensitive encoding when modifying the browser document on the client side acts against DOM XSS. When this cannot be avoided, similar context sensitive escaping techniques can be applied to browser APIs as described in the OWASP Cheat Sheet 'DOM based XSS Prevention'.
• Enabling a Content Security Policy (CSP) is a defense-in-depth mitigating control against XSS. It is effective if no other vulnerabilities exist that would allow placing malicious code via local file includes (e.g. path traversal overwrites or vulnerable libraries from permitted content delivery networks).
A7 :2017
Cross-Site Scripting (XSS)
Exploitability: 3 Prevalence: 3 Detectability: 3 Technical: 2
Automated tools can detect and exploit all three forms of XSS, and there are freely available exploitation frameworks.
XSS is the second most prevalent issue in the OWASP Top 10, and is found in around two-thirds of all applications.
Automated tools can find some XSS problems automatically, particularly in mature technologies such as PHP, J2EE / JSP, and ASP.NET.
The impact of XSS is moderate for reflected and DOM XSS, and severe for stored XSS, with remote code execution on the victim's browser, such as stealing credentials, sessions, or delivering malware to the victim.
https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=OWASP_Proactive_Controls_2016
https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=OWASP_Proactive_Controls_2016
https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project
https://www.owasp.org/index.php/Testing_for_Reflected_Cross_site_scripting_(OTG-INPVAL-001)
https://www.owasp.org/index.php/Testing_for_Stored_Cross_site_scripting_(OTG-INPVAL-002)
https://www.owasp.org/index.php/Testing_for_DOM-based_Cross_site_scripting_(OTG-CLIENT-001)
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
https://www.owasp.org/index.php/OWASP_Java_Encoder_Project
https://cwe.mitre.org/data/definitions/79.html
https://portswigger.net/kb/issues/00200308_clientsidetemplateinjection
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
App. Specific Business ?
14
Impacts Threat
Agents Attack
Vectors
Security
Weakness
Is the Application Vulnerable? Applications and APIs will be vulnerable if they deserialize hostile or tampered objects supplied by an attacker.
This can result in two primary types of attacks:
• Object and data structure related attacks where the attacker modifies application logic or achieves arbitrary remote code execution if there are classes available to the application that can change behavior during or after deserialization.
• Typical data tampering attacks, such as access-control-related attacks, where existing data structures are used but the content is changed.
Serialization may be used in applications for:
• Remote- and inter-process communication (RPC/IPC)
• Wire protocols, web services, message brokers
• Caching/Persistence
• Databases, cache servers, file systems
• HTTP cookies, HTML form parameters, API authentication tokens
Example Attack Scenarios Scenario #1: A React application calls a set of Spring Boot microservices. Being functional programmers, they tried to ensure that their code is immutable. The solution they came up with is serializing user state and passing it back and forth with each request. An attacker notices the "R00" Java object signature, and uses the Java Serial Killer tool to gain remote code execution on the application server.
Scenario #2: A PHP forum uses PHP object serialization to save a "super" cookie, containing the user's user ID, role, password hash, and other state:
a:4:{i:0;i:132;i:1;s:7:"Mallory";i:2;s:4:"user";
i:3;s:32:"b6a8b3bea87fe0e05022f8f3c88bc960";}
An attacker changes the serialized object to give themselves
admin privileges:
a:4:{i:0;i:1;i:1;s:5:"Alice";i:2;s:5:"admin";
i:3;s:32:"b6a8b3bea87fe0e05022f8f3c88bc960";}
References OWASP • OWASP Cheat Sheet: Deserialization
• OWASP Proactive Controls: Validate All Inputs
• OWASP Application Security Verification Standard
• OWASP AppSecEU 2016: Surviving the Java Deserialization Apocalypse
• OWASP AppSecUSA 2017: Friday the 13th JSON Attacks
External • CWE-502: Deserialization of Untrusted Data
• Java Unmarshaller Security
• OWASP AppSec Cali 2015: Marshalling Pickles
How to Prevent The only safe architectural pattern is not to accept serialized
objects from untrusted sources or to use serialization mediums
that only permit primitive data types.
If that is not possible, consider one of more of the following:
• Implementing integrity checks such as digital signatures on any serialized objects to prevent hostile object creation or data tampering.
• Enforcing strict type constraints during deserialization before object creation as the code typically expects a definable set of classes. Bypasses to this technique have been demonstrated, so reliance solely on this is not advisable.
• Isolating and running code that deserializes in low privilege environments when possible.
• Logging deserialization exceptions and failures, such as where the incoming type is not the expected type, or the deserialization throws exceptions.
• Restricting or monitoring incoming and outgoing network connectivity from containers or servers that deserialize.
• Monitoring deserialization, alerting if a user deserializes constantly.
A8 :2017
Insecure Deserialization
Exploitability: 1 Prevalence: 2 Detectability: 2 Technical: 3
Exploitation of deserialization is somewhat difficult, as off the shelf exploits rarely work without changes or tweaks to the underlying exploit code.
This issue is included in the Top 10 based on an industry survey and not on quantifiable data.
Some tools can discover deserialization flaws, but human assistance is frequently needed to validate the problem. It is expected that prevalence data for deserialization flaws will increase as tooling is developed to help identify and address it.
The impact of deserialization flaws cannot be understated. These flaws can lead to remote code execution attacks, one of the most serious attacks possible.
The business impact depends on the protection needs of the application and data.
https://www.owasp.org/index.php/Deserialization_Cheat_Sheet
https://www.owasp.org/index.php/OWASP_Proactive_Controls#4:_Validate_All_Inputs
https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project#tab=Home
https://speakerdeck.com/pwntester/surviving-the-java-deserialization-apocalypse
https://speakerdeck.com/pwntester/friday-the-13th-json-attacks
https://cwe.mitre.org/data/definitions/502.html
https://github.com/mbechler/marshalsec
http://frohoff.github.io/appseccali-marshalling-pickles/
https://owasp.blogspot.com/2017/08/owasp-top-10-2017-project-update.html
App. Specific Business ?
15
Impacts Threat
Agents Attack
Vectors
Security
Weakness
Example Attack Scenarios Scenario #1: Components typically run with the same privileges
as the application itself, so flaws in any component can result in
serious impact. Such flaws can be accidental (e.g. coding error)
or intentional (e.g. backdoor in component). Some example
exploitable component vulnerabilities discovered are:
• CVE-2017-5638, a Struts 2 remote code execution vulnerability that enables execution of arbitrary code on the server, has been blamed for significant breaches.
• While internet of things (IoT) are frequently difficult or impossible to patch, the importance of patching them can be great (e.g. biomedical devices).
There are automated tools to help attackers find unpatched or
misconfigured systems. For example, the Shodan IoT search
engine can help you find devices that still suffer from
the Heartbleed vulnerability that was patched in April 2014.
Is the Application Vulnerable? You are likely vulnerable:
• If you do not know the versions of all components you use (both client-side and server-side). This includes components you directly use as well as nested dependencies.
• If software is vulnerable, unsupported, or out of date. This includes the OS, web/application server, database management system (DBMS), applications, APIs and all components, runtime environments, and libraries.
• If you do not scan for vulnerabilities regularly and subscribe to security bulletins related to the components you use.
• If you do not fix or upgrade the underlying platform, frameworks, and dependencies in a risk-based, timely fashion. This commonly happens in environments when patching is a monthly or quarterly task under change control, which leaves organizations open to many days or months of unnecessary exposure to fixed vulnerabilities.
• If software developers do not test the compatibility of updated, upgraded, or patched libraries.
• If you do not secure the components' configurations (see A6:2017-Security Misconfiguration).
References OWASP • OWASP Application Security Verification Standard: V1
Architecture, design and threat modelling
• OWASP Dependency Check (for Java and .NET libraries)
• OWASP Testing Guide: Map Application Architecture (OTG- INFO-010)
• OWASP Virtual Patching Best Practices
External • The Unfortunate Reality of Insecure Libraries
• MITRE Common Vulnerabilities and Exposures (CVE) search
• National Vulnerability Database (NVD)
• Retire.js for detecting known vulnerable JavaScript libraries
• Node Libraries Security Advisories
• Ruby Libraries Security Advisory Database and Tools
How to Prevent There should be a patch management process in place to:
• Remove unused dependencies, unnecessary features, components, files, and documentation.
• Continuously inventory the versions of both client-side and server-side components (e.g. frameworks, libraries) and their dependencies using tools like versions, DependencyCheck, retire.js, etc. Continuously monitor sources like CVE and NVD for vulnerabilities in the components. Use software composition analysis tools to automate the process. Subscribe to email alerts for security vulnerabilities related to components you use.
• Only obtain components from official sources over secure links. Prefer signed packages to reduce the chance of including a modified, malicious component.
• Monitor for libraries and components that are unmaintained or do not create security patches for older versions. If patching is not possible, consider deploying a virtual patch to monitor, detect, or protect against the discovered issue.
Every organization must ensure that there is an ongoing plan for
monitoring, triaging, and applying updates or configuration
changes for the lifetime of the application or portfolio.
A9 :2017
Using Components with Known Vulnerabilities
Exploitability: 2 Prevalence: 3 Detectability: 2 Technical: 2
While it is easy to find already-written exploits for many known vulnerabilities, other vulnerabilities require concentrated effort to develop a custom exploit.
Prevalence of this issue is very widespread. Component-heavy development patterns can lead to development teams not even understanding which components they use in their application or API, much less keeping them up to date.
Some scanners such as retire.js help in detection, but determining exploitability requires additional effort.
While some known vulnerabilities lead to only minor impacts, some of the largest breaches to date have relied on exploiting known vulnerabilities in components. Depending on the assets you are protecting, perhaps this risk should be at the top of the list.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638
https://en.wikipedia.org/wiki/Internet_of_things
https://www.shodan.io/report/89bnfUyJ
https://en.wikipedia.org/wiki/Heartbleed
https://www.owasp.org/index.php/ASVS_V1_Architecture
https://www.owasp.org/index.php/OWASP_Dependency_Check
https://www.owasp.org/index.php/Map_Application_Architecture_(OTG-INFO-010)
https://www.owasp.org/index.php/Virtual_Patching_Best_Practices
https://www.aspectsecurity.com/research-presentations/the-unfortunate-reality-of-insecure-libraries
https://www.cvedetails.com/version-search.php
https://nvd.nist.gov/
https://github.com/retirejs/retire.js/
https://nodesecurity.io/advisories
https://rubysec.com/
http://www.mojohaus.org/versions-maven-plugin/
https://www.owasp.org/index.php/OWASP_Dependency_Check
https://github.com/retirejs/retire.js/
https://cve.mitre.org/
https://nvd.nist.gov/
https://www.owasp.org/index.php/Virtual_Patching_Best_Practices#What_is_a_Virtual_Patch.3F
App. Specific Business ?
16
Impacts Threat
Agents Attack
Vectors
Security
Weakness
Example Attack Scenarios Scenario #1: An open source project forum software run by a small team was hacked using a flaw in its software. The attackers managed to wipe out the internal source code repository containing the next version, and all of the forum contents. Although source could be recovered, the lack of monitoring, logging or alerting led to a far worse breach. The forum software project is no longer active as a result of this issue.
Scenario #2: An attacker uses scans for users using a common password. They can take over all accounts using this password. For all other users, this scan leaves only one false login behind. After some days, this may be repeated with a different password.
Scenario #3: A major US retailer reportedly had an internal malware analysis sandbox analyzing attachments. The sandbox software had detected potentially unwanted software, but no one responded to this detection. The sandbox had been producing warnings for some time before the breach was detected due to fraudulent card transactions by an external bank.
Is the Application Vulnerable? Insufficient logging, detection, monitoring and active response occurs any time:
• Auditable events, such as logins, failed logins, and high-value transactions are not logged.
• Warnings and errors generate no, inadequate, or unclear log messages.
• Logs of applications and APIs are not monitored for suspicious activity.
• Logs are only stored locally.
• Appropriate alerting thresholds and response escalation processes are not in place or effective.
• Penetration testing and scans by DAST tools (such as OWASP ZAP) do not trigger alerts.
• The application is unable to detect, escalate, or alert for active attacks in real time or near real time.
You are vulnerable to information leakage if you make logging and alerting events visible to a user or an attacker (see A3:2017- Sensitive Information Exposure).
References OWASP • OWASP Proactive Controls: Implement Logging and Intrusion
Detection
• OWASP Application Security Verification Standard: V8 Logging and Monitoring
• OWASP Testing Guide: Testing for Detailed Error Code
• OWASP Cheat Sheet: Logging
External • CWE-223: Omission of Security-relevant Information
• CWE-778: Insufficient Logging
How to Prevent As per the risk of the data stored or processed by the application:
• Ensure all login, access control failures, and server-side input validation failures can be logged with sufficient user context to identify suspicious or malicious accounts, and held for sufficient time to allow delayed forensic analysis.
• Ensure that logs are generated in a format that can be easily consumed by a centralized log management solutions.
• Ensure high-value transactions have an audit trail with integrity controls to prevent tampering or deletion, such as append-only database tables or similar.
• Establish effective monitoring and alerting such that suspicious activities are detected and responded to in a timely fashion.
• Establish or adopt an incident response and recovery plan, such as NIST 800-61 rev 2 or later.
There are commercial and open source application protection frameworks such as OWASP AppSensor, web application firewalls such as ModSecurity with the OWASP ModSecurity Core Rule Set, and log correlation software with custom dashboards and alerting.
A10 :2017
Insufficient Logging & Monitoring
Exploitability: 2 Prevalence: 3 Detectability: 1 Technical: 2
Exploitation of insufficient logging and monitoring is the bedrock of nearly every major incident.
Attackers rely on the lack of monitoring and timely response to achieve their goals without being detected.
This issue is included in the Top 10 based on an industry survey.
One strategy for determining if you have sufficient monitoring is to examine the logs following penetration testing. The testers’ actions should be recorded sufficiently to understand what damages they may have inflicted.
Most successful attacks start with vulnerability probing. Allowing such probes to continue can raise the likelihood of successful exploit to nearly 100%.
In 2016, identifying a breach took an average of 191 days – plenty of time for damage to be inflicted.
https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools
https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
https://www.owasp.org/index.php/OWASP_Proactive_Controls#8:_Implement_Logging_and_Intrusion_Detection
https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project#tab=Home
https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project#tab=Home
https://www.owasp.org/index.php/Logging_Cheat_Sheet
https://cwe.mitre.org/data/definitions/223.html
https://cwe.mitre.org/data/definitions/778.html
https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final
https://www.owasp.org/index.php/OWASP_AppSensor_Project
https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
https://owasp.blogspot.com/2017/08/owasp-top-10-2017-project-update.html
https://www-01.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=SEL03130WWEN&
17
Establish & Use Repeatable Security Processes and Standard Security Controls
Whether you are new to web application security or already very familiar with these risks, the task of producing a secure web
application or fixing an existing one can be difficult. If you have to manage a large application portfolio, this task can be
daunting.
To help organizations and developers reduce their application security risks in a cost-effective manner, OWASP has
produced numerous free and open resources that you can use to address application security in your organization. The
following are some of the many resources OWASP has produced to help organizations produce secure web applications and
APIs. On the next page, we present additional OWASP resources that can assist organizations in verifying the security of
their applications and APIs.
There are numerous additional OWASP resources available for your use. Please visit the OWASP Projects page, which lists all the
Flagship, Labs, and Incubator projects in the OWASP project inventory. Most OWASP resources are available on our wiki, and
many OWASP documents can be ordered in hardcopy or as eBooks.
To produce a secure web application, you must define what secure means for that application. OWASP recommends you use the OWASP Application Security Verification Standard (ASVS) as a guide for setting the security requirements for your application(s). If you’re outsourcing, consider the OWASP Secure Software Contract Annex. Note: The annex is for US contract law, so please consult qualified legal advice before using the sample annex.
Rather than retrofitting security into your applications and APIs, it is far more cost effective to design the security in from the start. OWASP recommends the OWASP Prevention Cheat Sheets as a good starting point for guidance on how to design security in from the beginning.
Application Security
Architecture
Building strong and usable security controls is difficult. Using a set of standard security controls radically simplifies the development of secure applications and APIs. The OWASP Proactive Controls is a good starting point for developers, and many modern frameworks now come with standard and effective security controls for authorization, validation, CSRF prevention, etc.
Standard Security Controls
To improve the process your organization follows when building applications and APIs, OWASP recommends the OWASP Software Assurance Maturity Model (SAMM). This model helps organizations formulate and implement a strategy for software security that is tailored to the specific risks facing their organization.
The OWASP Education Project provides training materials to help educate developers on web application security. For hands-on learning about vulnerabilities, try OWASP WebGoat, WebGoat.NET, OWASP NodeJS Goat, OWASP Juice Shop Project or the OWASP Broken Web Applications Project. To stay current, come to an OWASP AppSec Conference, OWASP Conference Training, or local OWASP Chapter meetings.
Application Security
Education
+D What’s Next for Developers
Application
Security
Requirements
Secure Development
Lifecycle
https://www.owasp.org/index.php/Projects
https://www.owasp.org/
http://stores.lulu.com/owasp
https://www.owasp.org/index.php/ASVS
https://www.owasp.org/index.php/OWASP_Secure_Software_Contract_Annex
https://www.owasp.org/index.php/OWASP_Cheat_Sheet_Series
https://www.owasp.org/index.php/OWASP_Proactive_Controls
https://www.owasp.org/index.php/OWASP_SAMM_Project
https://www.owasp.org/index.php/Category:OWASP_Education_Project
https://www.owasp.org/index.php/WebGoat
https://www.owasp.org/index.php/Category:OWASP_WebGoat.NET
https://www.owasp.org/index.php/OWASP_Node_js_Goat_Project
https://www.owasp.org/index.php/OWASP_Juice_Shop_Project
https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project
https://www.owasp.org/index.php/Category:OWASP_AppSec_Conference
https://www.owasp.org/index.php/Category:OWASP_Chapter
18
Establish Continuous Application Security Testing
Building code securely is important. But it’s critical to verify that the security you intended to build is actually present, correctly
implemented, and used everywhere it is supposed to be. The goal of application security testing is to provide this evidence.
The work is difficult and complex, and modern high-speed development processes like Agile and DevOps have put extreme
pressure on traditional approaches and tools. So we strongly encourage you to put some thought into how you are going to
focus on what’s important across your entire application portfolio, and do it cost-effectively.
Modern risks move quickly, so the days of scanning or penetration testing an application for vulnerabilities once every year or
so are long gone. Modern software development requires continuous application security testing across the entire software
development lifecycle. Look to enhance existing development pipelines with security automation that doesn’t slow
development. Whatever approach you choose, consider the annual cost to test, triage, remediate, retest, and redeploy a
single application, multiplied by the size of your application portfolio.
+T What’s Next for Security Testers
Before you start testing, be sure you understand what’s important to spend time on. Priorities come from the threat model, so if you don’t have one, you need to create one before testing. Consider using OWASP ASVS and the OWASP Testing Guide as an input and don’t rely on tool vendors to decide what’s important for your business.
Your approach to application security testing must be highly compatible with the people, processes, and tools you use in your software development lifecycle (SDLC). Attempts to force extra steps, gates, and reviews are likely to cause friction, get bypassed, and struggle to scale. Look for natural opportunities to gather security information and feed it back into your process.
Choose the simplest, fastest, most accurate technique to verify each requirement. The OWASP Security Knowledge Framework and OWASP Application Security Verification Standard can be great sources of functional and nonfunctional security requirements in your unit and integration testing. Be sure to consider the human resources required to deal with false positives from the use of automated tooling, as well as the serious dangers of false negatives.
Testing Strategies
You don’t have to start out testing everything. Focus on what’s important and expand your verification program over time. That means expanding the set of security defenses and risks that are being automatically verified as well as expanding the set of applications and APIs being covered. The goal is to achieve a state where the essential security of all your applications and APIs is verified continuously.
Achieving Coverage
and Accuracy
No matter how good you are at testing, it won’t make any difference unless you communicate it effectively. Build trust by showing you understand how the application works. Describe clearly how it can be abused without “lingo” and include an attack scenario to make it real. Make a realistic estimation of how hard the vulnerability is to discover and exploit, and how bad that would be. Finally, deliver findings in the tools development teams are already using, not PDF files.
Understand
the Threat
Model
Understand
Your
SDLC
Clearly
Communicate
Findings
https://www.owasp.org/index.php/ASVS
https://www.owasp.org/index.php/OWASP_Testing_Project
https://www.owasp.org/index.php/OWASP_Security_Knowledge_Framework
https://www.owasp.org/index.php/ASVS
19
Start Your Application Security Program Now
Application security is no longer optional. Between increasing attacks and regulatory pressures, organizations must establish
effective processes and capabilities for securing their applications and APIs. Given the staggering amount of code in the
numerous applications and APIs already in production, many organizations are struggling to get a handle on the enormous
volume of vulnerabilities.
OWASP recommends organizations establish an application security program to gain insight and improve security across
their applications and APIs. Achieving application security requires many different parts of an organization to work together
| Writer | Writer Name | Amount | Client Comments & Rating |
|---|---|---|---|
ONLINE |
Instant Homework Helper |
$36 |
She helped me in last minute in a very reasonable price. She is a lifesaver, I got A+ grade in my homework, I will surely hire her again for my next assignments, Thumbs Up! |
Custom Original Solution And Get A+ Grades
Custom Original Solution And Get A+ Grades
Custom Original Solution And Get A+ Grades
| Writer | Writer Name | Offer | Chat |
|---|---|---|---|
ONLINE |
Top Class EngineersI will provide you with the well organized and well research papers from different primary and secondary sources will write the content that will support your points. |
$33 | Chat With Writer |
ONLINE |
Finance Homework HelpBeing a Ph.D. in the Business field, I have been doing academic writing for the past 7 years and have a good command over writing research papers, essay, dissertations and all kinds of academic writing and proofreading. |
$33 | Chat With Writer |
ONLINE |
Coursework Assignment HelpAs per my knowledge I can assist you in writing a perfect Planning, Marketing Research, Business Pitches, Business Proposals, Business Feasibility Reports and Content within your given deadline and budget. |
$37 | Chat With Writer |
ONLINE |
Homework GuruI have read your project description carefully and you will get plagiarism free writing according to your requirements. Thank You |
$41 | Chat With Writer |
ONLINE |
Writing FactoryI have assisted scholars, business persons, startups, entrepreneurs, marketers, managers etc in their, pitches, presentations, market research, business plans etc. |
$32 | Chat With Writer |
ONLINE |
Finance ProfessorAs an experienced writer, I have extensive experience in business writing, report writing, business profile writing, writing business reports and business plans for my clients. |
$27 | Chat With Writer |
Let our expert academic writers to help you in achieving a+ grades in your homework, assignment, quiz or exam.