OWASP Top 10 Compliance with Parasoft

Try Parasoft

OWASP

What is OWASP Top 10?

The Open Web Application Security Project (OWASP) is an open-source community of security experts from around the world, who have shared their expertise of vulnerabilities, threats, attacks, and countermeasures by developing the OWASP Top Ten – a list of the 10 most dangerous current web application security flaws, and effective methods of dealing with those flaws. Adopting the OWASP Top 10 is an effective first step to change the software development culture within your organization into one that produces secure code.

Enforcing OWASP Top 10 Compliance with Static Analysis

Parasoft's static analysis solutions provide more support for OWASP than any other source code analysis tool, helping teams achieve DevSecOps by enforcing security from the very start of development.

As shown to the right, Parasoft's unique realtime feedback gives users a continuous view of compliance with OWASP, by providing interactive compliance dashboards, widgets, and reports that have the OWASP risk assessment framework implemented right within the dashboard itself, which takes exploitability, prevalence in the field, likelihood that someone finds it (detectability), and what happens when it fails (impact), organized into a matrix to help users prioritize without having to manually triage.

OWASP

How Parasoft Helps Achieve OWASP Compliance

Parasoft's comprehensive support for the OWASP Top 10 helps users achieve DevSecOps by enforcing security from the start of development. With Parasoft, you get:

  • Out-of-the-box policy / test configurations that are fully configurable.
  • Execution from within the IDE and via the CI/CD process to help quickly locate the vulnerability earlier in the SDLC.
  • Guidance on how to fix the vulnerabilities with supported documentation and training material.
  • Compliance dashboards, widgets, and reports that implement the OWASP risk assessment framework.
  • Application vulnerability correlation (AVC) with real-time compliance metrics that show how well you are doing at achieving compliance with OWASP.

The OWASP Top 10 covers the following categories:

Rank Security Risk Attacker Will… Attack Impact

1

Injection

Send untrusted, text-based data to exploit syntax of a targeted interpreter via:

  • SQL, LDAP, XPath, or NoSQL queries
  • OS commands
  • XML parsers
  • SMTP headers
  • Expression languages
  • Corruption or loss of data
  • Access denial
  • Host takeover

2

Broken Authentication and Session Management

Use leaks or flaws during authentication or session, such as exposed:

  • Accounts
  • Passwords
  • Session IDs
  • Hijack credentials granted to an authorized user
  • Impersonate an authorized user

Note: Privileged users are often targeted

3

Cross-Site Scripting (XSS)

Send untrusted text-based scripts, via user-supplied input, that is automatically added to HTML output and executed by the victim’s browser if the HTML use context-sensitive escaping

  • Hijack user session or browser
  • Deface websites
  • Insert malicious content
  • Redirect users to malicious sites

4

Broken Access Control

Change a parameter value to a resource he/she is not authorized to access

  • Compromise accessed functionality or data
  • Exfiltrate data

5

Security Misconfiguration

Access default accounts, unused pages, unpatched flaws, unprotected files and directories

  • Unauthorized access to functionality or data
  • Compromise functionality or data

6

Sensitive Data Exposure

  • Steal authorized user credentials
  • Conduct man-in-the middle attacks
  • Steal clear-text data off the server, while in transit, or from user’s browser
  • Compromise integrity and privacy of sensitive data

7

Insufficient Attack Protection

  • Scan and probe for detection and prevention weaknesses in applications and APIs
  • Exploit discovered weaknesses
  • Compromise functionality and data

8

Cross-Site Request Forgery (CSRF)

Create forged HTTP requests and trick user into submitting them via:

  • Image tags
  • Iframes
  • Cross-scripting
  • Other techniques

Trick user into making state changes:

  • Updating account
  • Making purchases
  • Modifying data

9

Using Components with Known Vulnerabilities

  • Scan and probe for weak components
  • Exploit discovered weaknesses
  • Injection
  • Broken access control
  • Cross-scripting
  • Sensitive data exposure

10

Underprotected APIs

Reverse engineer APIs by:

  • Examining client code
  • Monitoring communications
  • Data compromise, theft, or destruction
  • Unauthorized access
  • Host takeover

Further Reading

What's new in the latest update to OWASP?

Every few years, OWASP updates the Top 10 list, so that it stays relevant, and maintains its status as the most common starting place for organizations getting started with securing their web applications. Read on to learn what has been updated in the latest version (2017).