The OWASP (Open Web Application Security Project) Top Ten represents a consensus of the most critical security risks to web applications. Chris Wysopal, Veracode CTO, shares his insights on how developers can use this resource to minimize vulnerabilities in their products.
Why is the OWASP Top 10 important to developers?
Wysopal: The OWASP Top 10 is intended to build awareness around the most common vulnerabilities hackers are exploiting to attack applications. Remaining fully aware and staying up to date with these risks is crucial for developers to help ensure their software is as secure as possible. By understanding the vulnerabilities that are rampant in software, developers are taking the first step in reducing risk. This list serves as a guide for developers to mitigate against attackers looking to plant malware, steal data, or completely take over computers or servers.
What are the most common security risks related to current threats?
Wysopal: The security risks outlined by the OWASP Top 10 are the flaws that are so severe that no web application should be made public without clear evidence that the software does not contain them. Some of these flaws are more common than others, but generally speaking, they are all prevalent. SQL injection flaws come to mind here. SQL injection flaws, which occur when applications use untrusted data as part of a database query, are found in about one in three applications. In Veracode’s most recent State of Software Security Report, data shows information leakage, cryptographic issues, and code quality issues as the top three most prevalent flaw types. Cross-Site Scripting is another threat to be wary of, with data showing highly exploitable Cross-Site Scripting flaws in nearly 49 percent of applications. SQL injection flaws showed up in almost 28 percent of tested software.
What can developers do to make sure their applications don’t contain vulnerabilities?
Wysopal: Web application attacks are the most frequent pattern in confirmed breaches, according to the 2018 Verizon Data Breach Investigations Report. Setting policies based on eliminating OWASP Top 10 vulnerabilities is an excellent starting point – these vulnerabilities are widely accepted as the most likely to be exploited, and remediating them will greatly decrease your risk of breach. Attackers will continue targeting the application layer, so developers should be armed with tools that integrate security seamlessly into software development and eliminate vulnerabilities at the most efficient and effective points in the development/deployment chain. For example, Veracode Greenlight works within the IDE to Using a combination of methods like this can help in securing the entire application landscape, and each application throughout its lifecycle.
What are some of the biggest mistakes you see developers make?
Wysopal: There is a lot of room for improvement in application security. Veracode’s 2018 State of Software Security found that the rate of OWASP compliance declined for the third year in a row, with OWASP Top 10 initial scan pass rates only reaching 22.5 percent. One of the most common problems across industries is a lack of education offered to developers on secure coding practices. Developers should seek out the secure coding courses made available by application security vendors. True application security is not simply scanning for flaws, but learning how to prioritize and fix the flaws that are found.
Please provide any additional advice our readers would find valuable.
Wysopal: Organizations should establish and use repeatable security processes and standard security controls, and establish risk-based policies, training and support for developers. Organizations should also test applications continuously, as research shows more frequent scanning results in fixing flaws faster over time. Development teams should follow a secure development lifecycle that includes security from the start and pursue educational courses on secure coding. It’s worth noting that different OWASP Top 10 flaws can be more prevalent in varying industries. Organizations can consider this information to focus on the most pressing risks facing their particular sector. This will allow for better prioritization of fixing flaws.