Does the OWASP Top 10 Still Matter?

What is the OWASP Top 10, and – just as important – what is
it not? In this review, we look at how you can make this critical
risk report work for you and your organisation.

What is OWASP?

OWASP^[1] is the Open Web
Application Security Project, an international non-profit
organization dedicated to improving web application security.

It operates on the core principle that all of its materials are
freely available and easily accessible online, so that anyone
anywhere can improve their own web app security. It offers a number
of tools, videos, and forums to help you do this – but their
best-known project is the OWASP Top 10.

The top 10 risks

The OWASP Top 10^[2]
outlines the most critical risks to web application security. Put
together by a team of security experts from all over the world, the
list is designed to raise awareness of the current security
landscape and offer developers and security professionals
invaluable insights into the latest and most widespread security
risks.

It also includes a checklist and remediation advice that experts
can fold into their own security practices and operations to
minimise and/or mitigate the risk to their apps.

Why you should use it

OWASP updates its Top 10 every two or three years as the web
application market evolves, and it’s the gold standard for some of
the world’s largest organizations.

As such, you could be seen as falling short of compliance and
security if you don’t address the vulnerabilities listed in the Top
10. Conversely, integrating the list into your operations and
software development shows a commitment to industry best
practice.

And why you shouldn’t

Some experts believe the OWASP Top 10 is flawed because the list
is too limited and lacks context. By focusing only on the top 10
risks, it neglects the long tail. What’s more, the OWASP community
often argues about the ranking, and whether the 11th or 12th belong
in the list instead of something higher up.

There is some merit to these arguments, but the OWASP Top 10 is
still the leading forum for addressing security-aware coding and
testing. It’s easy to understand, it helps users prioritise risk,
and its actionable. And for the most part, it focuses on the most
critical threats, rather than specific vulnerabilities.

So, what’s the answer?

Web application vulnerabilities are bad for businesses, and bad
for consumers. Big breaches can result in huge quantities of stolen
data. These breaches aren’t always caused by organizations failing
to address the OWASP Top 10, but they are some of the biggest
issues. And there’s no point worrying about obscure zero-day flaws
in your firewall if you’re not going to block injection, session
capture, or XSS.

So, what should you do? Firstly, train everyone in good security
hygiene. Do dynamic application security testing, including
penetration testing. Ensure admins adequately protect applications.
And use an online vulnerability scanner.

Beyond OWASP

Like most organizations, you may already be using a number of
different cyber security tools to protect your organization against
the threats listed by OWASP. While this is a good security stance,
vulnerability management can be complex and time-consuming.

But it doesn’t have to be. Intruder^[3]
makes it easy to secure your apps by integrating with your CI/CD
pipeline to automate the discovery of any cyber weaknesses.

You can perform security checks across your perimeter, including
application-layer vulnerability
checks^[4], including checks for
OWASP Top 10, XSS, SQL injection, CWE/SANS Top 25, remote code
execution, OS command injection, and more.

In addition to web app checks, Intruder performs reviews across
your publicly and privately accessible servers, cloud systems, and
endpoint devices to keep you fully protected.

Read the latest report^[5]
for a more in-depth look at the OWASP Top 10. Or if you’re ready to
discover how Intruder can find the cyber security weaknesses in
your business, sign up for a free trial^[6]
today.