alphaspirit - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How should enterprises use the OWASP Top Ten list?

The OWASP Top Ten list is not a compliance standard but a set of best practices for enterprises looking to boost Web app security. Here's how to get the most out of OWASP Top Ten.

I saw a recent study that reported the failure of government to be OWASP compliant. What does full OWASP compliance entail? And how should a government agency go about becoming OWASP compliant?

First, one point of clarification: the Open Web Application Security Project (OWASP) is not a compliance program. It is a community effort to build a set of best practices for securing Web applications. Its most well-known initiative is the publication of the OWASP Top Ten list of common Web application security flaws. Organizations around the world use this list as a starting point for their Web application security efforts.

Government agencies -- or any organization, for that matter -- seeking to improve their Web application security can turn to the OWASP Top Ten list as both an educational reference and a vulnerability checklist. The current list, published in 2013, includes these 10 vulnerabilities:

  1. Injection
  2. Broken authentication and session management
  3. Cross-site scripting
  4. Insecure direct object references
  5. Security misconfiguration
  6. Sensitive data exposure
  7. Missing function level access control
  8. Cross-site request forgery
  9. Using components with known vulnerabilities
  10.  Invalidated redirects and forwards

As you can see, the OWASP Top Ten list is not compliance-oriented. Rather, it is a list of things that can go wrong. Organizations seeking to use this list might incorporate it into their developer education programs to ensure that anyone touching Web applications understands the most common security mistakes that developers make and knows how to correct them. Security teams often use this list as a checklist for vulnerability assessments, scouring new and modified apps for these issues. In fact, many automated vulnerability scanners allow the generation of reports specifically tailored to this list.

The OWASP Top Ten list may not be a compliance program, per se, but it is a valuable reference for Web application developers and information security professionals.

Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)

Next Steps

Check out this Buyer's Essentials guide to choosing the best vulnerability assessment tools for your organization

Learn how the OWASP Top Ten list can help reduce Web application vulnerabilities

See how the current version of the OWASP Top Ten list compares to earlier versions

This was last published in November 2015

Dig Deeper on Risk assessments, metrics and frameworks