alphaspirit - Fotolia
I saw a recent study that reported the failure of government to be OWASP compliant. What does full OWASP compliance entail? And how should a government agency go about becoming OWASP compliant?
First, one point of clarification: the Open Web Application Security Project (OWASP) is not a compliance program. It is a community effort to build a set of best practices for securing Web applications. Its most well-known initiative is the publication of the OWASP Top Ten list of common Web application security flaws. Organizations around the world use this list as a starting point for their Web application security efforts.
Government agencies -- or any organization, for that matter -- seeking to improve their Web application security can turn to the OWASP Top Ten list as both an educational reference and a vulnerability checklist. The current list, published in 2013, includes these 10 vulnerabilities:
- Broken authentication and session management
- Cross-site scripting
- Insecure direct object references
- Security misconfiguration
- Sensitive data exposure
- Missing function level access control
- Cross-site request forgery
- Using components with known vulnerabilities
- Invalidated redirects and forwards
As you can see, the OWASP Top Ten list is not compliance-oriented. Rather, it is a list of things that can go wrong. Organizations seeking to use this list might incorporate it into their developer education programs to ensure that anyone touching Web applications understands the most common security mistakes that developers make and knows how to correct them. Security teams often use this list as a checklist for vulnerability assessments, scouring new and modified apps for these issues. In fact, many automated vulnerability scanners allow the generation of reports specifically tailored to this list.
The OWASP Top Ten list may not be a compliance program, per se, but it is a valuable reference for Web application developers and information security professionals.
Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)
Check out this Buyer's Essentials guide to choosing the best vulnerability assessment tools for your organization
See how the current version of the OWASP Top Ten list compares to earlier versions
Dig Deeper on Risk assessments, metrics and frameworks
Related Q&A from Mike Chapple
It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ... Continue Reading
The HHS OCR ruled that healthcare ransomware attacks are HIPAA violations, so these covered entities need to react according to the HHS's guidance. ... Continue Reading
HIPAA regulations incorporate NIST guidelines and standards, so do healthcare organizations need to be compliant with both? Expert Mike Chapple ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.