alphaspirit - Fotolia

Q
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How should enterprises use the OWASP Top Ten list?

The OWASP Top Ten list is not a compliance standard but a set of best practices for enterprises looking to boost Web app security. Here's how to get the most out of OWASP Top Ten.

I saw a recent study that reported the failure of government to be OWASP compliant. What does full OWASP compliance entail? And how should a government agency go about becoming OWASP compliant?

First, one point of clarification: the Open Web Application Security Project (OWASP) is not a compliance program. It is a community effort to build a set of best practices for securing Web applications. Its most well-known initiative is the publication of the OWASP Top Ten list of common Web application security flaws. Organizations around the world use this list as a starting point for their Web application security efforts.

Government agencies -- or any organization, for that matter -- seeking to improve their Web application security can turn to the OWASP Top Ten list as both an educational reference and a vulnerability checklist. The current list, published in 2013, includes these 10 vulnerabilities:

  1. Injection
  2. Broken authentication and session management
  3. Cross-site scripting
  4. Insecure direct object references
  5. Security misconfiguration
  6. Sensitive data exposure
  7. Missing function level access control
  8. Cross-site request forgery
  9. Using components with known vulnerabilities
  10.  Invalidated redirects and forwards

As you can see, the OWASP Top Ten list is not compliance-oriented. Rather, it is a list of things that can go wrong. Organizations seeking to use this list might incorporate it into their developer education programs to ensure that anyone touching Web applications understands the most common security mistakes that developers make and knows how to correct them. Security teams often use this list as a checklist for vulnerability assessments, scouring new and modified apps for these issues. In fact, many automated vulnerability scanners allow the generation of reports specifically tailored to this list.

The OWASP Top Ten list may not be a compliance program, per se, but it is a valuable reference for Web application developers and information security professionals.

Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)

Next Steps

Check out this Buyer's Essentials guide to choosing the best vulnerability assessment tools for your organization

Learn how the OWASP Top Ten list can help reduce Web application vulnerabilities

See how the current version of the OWASP Top Ten list compares to earlier versions

Dig Deeper on Risk assessments, metrics and frameworks

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

2 comments

Send me notifications when other members comment.

Please create a username to comment.

Does your organization use the OWASP Top Ten list to help improve Web application security?
Cancel
Yes, We do use OWASP to help us identify and cover open and known vulnerabilities on web application especially developed in-house and those that are contracted to third party before being launched to the production environment. This is not a compliance issue but rather a checklist to identify already known/common weaknesses in web applications. Compliance most of the times incur penalties but OWASP doesn't, thus I agree with the topic mover.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close