The Open Web Application Security Project (OWASP) is an international nonprofit dedicated to providing free documentation, tools, videos, and forums for anyone interested in improving the security of their web applications.
Originally formed as the Open Web Application Security Project and incorporated as a nonprofit charity in 2004, OWASP provides impartial advice on best practices and promotes the creation of open standards.
Today, OWASP aims to help developers write better software and enable security professionals to make software more secure, recognizing that enterprise applications form the critical infrastructure of a business’s digital operations. From customer-facing e-commerce platforms to internal tools that manage finances and customer relationships, these applications hold the key to operational efficiency and success.
An increased reliance on applications means that the speed at which companies can bring applications to market is critical. Rapid deployment lets businesses respond quickly to market demands, capitalize on emerging trends, and meet customer expectations ahead of their competitors.
However, rushing to get applications out the door can introduce a multitude of security vulnerabilities. Developers might sacrifice secure coding practices to meet deadlines, leaving sensitive user data, such as passwords, exposed and vulnerable to hacking.
To make matters worse, shortened development cycles often mean less time for thorough security testing. That means that critical flaws might remain hidden until after an app is released, putting users at risk as soon as they download it.
That’s where OWASP comes in.
Top data breaches are related to a lack of app security
Eight out of the top 10 data breaches in 2023 were related to application attack surfaces, according to CrowdStrike’s “2024 State of Application Security Report.”
“These eight breaches alone are estimated to have exposed around 1.7 billion records,” the report noted. “The staggering number of records exposed proves that the status quo in application security isn’t enough.”
The problem is that it can be challenging to find impartial advice and practical information to help companies develop their application security (AppSec) programs, especially with the growing challenges and risks posed by open-source software repositories. That’s because the competitive technology and services market often promotes specific tools or vendors.
To deal with this issue, the OWASP Foundation was launched in 2001. “The initial goal of OWASP was to create a platform where security experts could share knowledge, tools, and best practices to improve web application security,” says Jim Mercer, program vice president, software development, DevOps, and DevSecOps at IDC.
And as cyber practitioners scramble to upskill themselves on the topic of artificial intelligence (AI) security and their organizations quickly adopt AI tools, platforms, applications, and services, various resources are emerging in the industry to help practitioners process the ever-changing landscape.
One of the most useful of those is the OWASP AI Exchange. OWASP has increasingly positioned itself as a go-to resource for AI security knowledge, including publishing the OWASP LLM top 10 list in 2023, which documents the top 10 risks for LLM systems and recommendations on how to mitigate those risks.
The OWASP AI Exchange serves as an open-source collaborative effort to progress the development and sharing of global AI security standards, regulations, and knowledge. It covers AI threats, vulnerabilities, and controls.
Here are some of the main AppSec challenges:
According to the CrowdStrike report, respondents listed the following as their top application security challenges:
“More frequent deployments mean more languages to manage.” Companies that deploy applications at least once per day use more than five programming languages.
“Teams use manual processes to inventory and catalog apps and APIs.” Seventy-four percent of teams depend on documentation and 68% rely on spreadsheets.
“Only 54% of major code changes go through full security reviews.” Twenty-two percent of respondents say they only review 24% of less of code changes.
“Traditional security reviews are time-consuming and expensive.” Eighty-one percent of the 400 security professionals surveyed said that security reviews take longer than one business day and 35% report that security reviews take longer than three business days. And CrowdStrike estimates that the annual cost of security reviews is slightly more than $1,167,000.
“Security teams are using multiple tools.” Ninety percent of teams use more than three tools to detect and prioritize application vulnerabilities and threats.
“Prioritizing what to fix first is a top challenge.” Sixty-one percent of AppSec professionals say this is their top challenge working with developers.
“Remediation is slow.” Respondents say that 70% of critical issues take at least 12 hours to resolve.
OWASP Top 10 sets security standards for developers
OWASP is well known for its top 10, a standard awareness document for developers and web application security about the most critical security risks to web applications. The top 10 can help deal with AppSec challenges.
The list was last updated in 2021, and the next list is set to be published in 2025, says Andrew van der Stock, OWASP’s executive director.
“The top 10 is widely used as an informal standard,” van der Stock says. “If you’re just starting out challenging the very basics of application security, it’s a great place to start. But my concerns with using it as a standard is that it tells you what not to do, rather than what to do. So, we do spend a bit of time talking about other alternatives that you should be adopting instead, but people love it because it is 10 things.”
Mercer agrees.
“Although I think the top 10 list was intended to identify the bare bones for application security, too many organizations feel like they have achieved success once they have addressed these security problems and do not mature from there,” he says.
The 2021 OWASP Top 10 are:
- Broken Access Control: This means that an app doesn’t appropriately restrict access to sensitive information or functionality. Bad actors can take advantage of these flaws to access unauthorized data and functionality or perform actions they shouldn’t be able to perform. Common causes include insecure direct object references, privilege escalation vulnerabilities, and improper access control lists.
- Cryptographic Failures: This refers to weaknesses in how data is encrypted or decrypted. Weak encryption algorithms, using the same key for multiple purposes, or not storing keys securely can all expose sensitive data. As such, attackers could steal usernames and passwords, financial information, or other sensitive data.
- Injection: This is when an attacker injects malicious code into user input that gets interpreted by the application. An example is a SQL injection where an attacker injects SQL code to manipulate a database.
- Insecure Design: This refers to applications built without security in mind from the beginning of the development process. Failing to implement proper authentication, authorization, input validation, and other security measures from the start makes applications vulnerable. This category emphasizes the importance of building security into applications throughout their lifecycles.
- Security Misconfiguration: Sometimes even secure applications can be vulnerable because of improper configuration. Not changing default passwords, keeping unnecessary services running, or using insecure settings on servers or software components creates security gaps that attackers can easily exploit.
- Vulnerable and Outdated Components: Using libraries, frameworks, or other components with known security vulnerabilities creates a risk as attackers can exploit these known issues to gain access to applications. That’s why it’s critical to update components with the latest security patches.
- Identification and Authentication Failures: Weak login systems, passwords that can be guessed easily, not using multi-factor authentication, and insecure session management all fall into this category. Attackers can exploit these weaknesses to impersonate legitimate users or gain unauthorized access.
- Software and Data Integrity Failures: This category focuses on protecting code and data from unauthorized modification. Malicious actors could exploit vulnerabilities to tamper with code execution or modify stored data, leading to security breaches.
- Security Logging and Monitoring Failures: Inadequate logging and security monitoring create blind spots, making it challenging to identify attempted intrusions or unusual system activity. This can enable attackers to go undetected for longer periods.
- Server-Side Request Forgery: Bad actors can use this vulnerability to manipulate the server. Instead of accessing intended resources, the server unknowingly makes unauthorized requests to external systems, potentially compromising sensitive data. Attackers could use this flaw to steal data, attack other systems, or perform unauthorized actions on the server itself.
The OWASP Top 10 is important because it provides a common language that a security person can quickly understand about what they should worry about, says Janet Worthington, senior security analyst at Forrester Research.
“And that’s something they can communicate to other people in their organizations, such as developers or cloud architects,” she says. “The OWASP Top 10 provides a background on why something is on the list, why it’s a problem, and what companies can potentially do to fix it.”
