alphaspirit - Fotolia
I saw a recent study that reported the failure of government to be OWASP compliant. What does full OWASP compliance entail? And how should a government agency go about becoming OWASP compliant?
First, one point of clarification: the Open Web Application Security Project (OWASP) is not a compliance program. It is a community effort to build a set of best practices for securing Web applications. Its most well-known initiative is the publication of the OWASP Top Ten list of common Web application security flaws. Organizations around the world use this list as a starting point for their Web application security efforts.
Government agencies -- or any organization, for that matter -- seeking to improve their Web application security can turn to the OWASP Top Ten list as both an educational reference and a vulnerability checklist. The current list, published in 2013, includes these 10 vulnerabilities:
- Broken authentication and session management
- Cross-site scripting
- Insecure direct object references
- Security misconfiguration
- Sensitive data exposure
- Missing function level access control
- Cross-site request forgery
- Using components with known vulnerabilities
- Invalidated redirects and forwards
As you can see, the OWASP Top Ten list is not compliance-oriented. Rather, it is a list of things that can go wrong. Organizations seeking to use this list might incorporate it into their developer education programs to ensure that anyone touching Web applications understands the most common security mistakes that developers make and knows how to correct them. Security teams often use this list as a checklist for vulnerability assessments, scouring new and modified apps for these issues. In fact, many automated vulnerability scanners allow the generation of reports specifically tailored to this list.
The OWASP Top Ten list may not be a compliance program, per se, but it is a valuable reference for Web application developers and information security professionals.
Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)
Check out this Buyer's Essentials guide to choosing the best vulnerability assessment tools for your organization
See how the current version of the OWASP Top Ten list compares to earlier versions
Dig Deeper on Risk assessments, metrics and frameworks
Related Q&A from Mike Chapple
Explore the differences between wired and wireless network security, and read up on best practices to ensure security with or without wires. Continue Reading
Choosing to encrypt confidential data with AES or DES encryption is an important cybersecurity matter. Learn about the important differences between ... Continue Reading
It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ... Continue Reading